{ "statistics": { "processing": [ { "name": "CAPE", "time": 2.054 }, { "name": "AnalysisInfo", "time": 0.033 }, { "name": "BehaviorAnalysis", "time": 0.066 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 0.026 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_restart", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_sboxie_objects", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "hardware_id_profiling", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "amsi_enumeration", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "suspicious_ntdll_disk_load", "time": 0.0 }, { "name": "direct_syscall_evasion", "time": 0.0 }, { "name": "unbacked_syscall_execution", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "privilege_elevation_check", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "query_fips_reconnaissance", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "debugs_self", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "dllload_suspicious_directory", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "install_kernel_driver_service", "time": 0.0 }, { "name": "malformed_dll_loading", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "registers_vectored_exception_handler", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_module_stomping_probing", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "section_mapping_injection", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "apc_injection", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "interprocess_comms_mutex", "time": 0.0 }, { "name": "interprocess_comms_named_pipe", "time": 0.0 }, { "name": "interprocess_comms_shared_memory", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "unbacked_exception_filter", "time": 0.0 }, { "name": "unbacked_process_mitigation_alteration", "time": 0.0 }, { "name": "thread_unbacked_memory", "time": 0.0 }, { "name": "unbacked_api_resolution", "time": 0.0 }, { "name": "unbacked_dotnet_execution", "time": 0.0 }, { "name": "unbacked_library_load", "time": 0.0 }, { "name": "unbacked_memory_apc_execution", "time": 0.0 }, { "name": "unbacked_memory_protection_alteration", "time": 0.0 }, { "name": "unbacked_mutex_creation", "time": 0.0 }, { "name": "unbacked_process_creation", "time": 0.0 }, { "name": "unbacked_veh_registration", "time": 0.0 }, { "name": "unbacked_com_instantiation", "time": 0.0 }, { "name": "unbacked_crypto_operations", "time": 0.0 }, { "name": "unbacked_delay_execution", "time": 0.0 }, { "name": "unbacked_file_dropping", "time": 0.0 }, { "name": "unbacked_process_enumeration", "time": 0.0 }, { "name": "unbacked_registry_modification", "time": 0.0 }, { "name": "unbacked_service_manipulation", "time": 0.0 }, { "name": "unbacked_token_manipulation", "time": 0.0 }, { "name": "unbacked_wmi_execution", "time": 0.0 }, { "name": "unbacked_bind_shell", "time": 0.0 }, { "name": "unbacked_dns_resolution", "time": 0.0 }, { "name": "unbacked_memory_network_connection", "time": 0.0 }, { "name": "unbacked_named_pipe_creation", "time": 0.0 }, { "name": "unbacked_useragent_retrieval", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "etherhiding_smart_contract_call", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "decompress_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "ransomware_iocp_asynchronous_encryption", "time": 0.0 }, { "name": "kernel_crypto_driver_abuse", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_extension_hijack", "time": 0.0 }, { "name": "mass_file_modification_access", "time": 0.0 }, { "name": "ransomware_attribute_stripping", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "mass_ransom_note_drop", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_system_procname", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "byod_loldrivers_match", "time": 0.0 }, { "name": "byod_novel_driver", "time": 0.0 }, { "name": "byod_post_load_exploitation", "time": 0.0 }, { "name": "byod_driver_service_install", "time": 0.0 }, { "name": "com_spawned_process", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.001 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "pe_deep_entrypoint", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "pe_cert_invalid_signature", "time": 0.0 }, { "name": "pe_cert_self_signed", "time": 0.0 }, { "name": "pe_cert_suspicious_issuer", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "browser_credential_theft_headless", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.002 }, { "name": "antianalysis_detectreg", "time": 0.011 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.004 }, { "name": "antiav_detectreg", "time": 0.054 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.001 }, { "name": "antivm_generic_bios", "time": 0.001 }, { "name": "antivm_generic_diskreg", "time": 0.002 }, { "name": "antivm_hyperv_keys", "time": 0.001 }, { "name": "antivm_parallels_keys", "time": 0.003 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.001 }, { "name": "antivm_vbox_keys", "time": 0.006 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.0 }, { "name": "antivm_vmware_keys", "time": 0.004 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.002 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.003 }, { "name": "ketrican_regkeys", "time": 0.001 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "executes_headless_browser", "time": 0.0 }, { "name": "suspicious_browser_arguments", "time": 0.001 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.001 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "folder_enumeration", "time": 0.0 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.002 }, { "name": "infostealer_ftp", "time": 0.019 }, { "name": "infostealer_im", "time": 0.011 }, { "name": "infostealer_mail", "time": 0.004 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.002 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.0 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.0 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.0 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.004 }, { "name": "ransomware_files", "time": 0.006 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.019 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.001 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.001 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "iexplore.exe", "path": "/opt/CAPEv2/storage/binaries/43f7fa5e22fa1a00989114e7d9b58cf1fb6dadf009bff45e70f1a48d06d9eb35", "guest_paths": "", "size": 846280, "crc32": "DB73743F", "md5": "0b47a43e68bfadc9106acd3e46e85c56", "sha1": "9824880edc41fae722c51314265ef99fd886094f", "sha256": "43f7fa5e22fa1a00989114e7d9b58cf1fb6dadf009bff45e70f1a48d06d9eb35", "sha512": "8cb50277762391e714c9e726ce89e01b77953387d6a72674dcb9faf7d51dc9939886db9550cb266445219fcc893e2bc8cf216c289e533b972d9cad6a77c7810e", "rh_hash": null, "ssdeep": "24576:bT4lGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUMMVMl:bhMMHMMMvMMZMMMlmMMMiMMMYJMMHMMs", "type": "PE32+ executable (GUI) x86-64, for MS Windows", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T113056C42F7C8D455E0B706314933CA644662FD659F2086EF319A771E2E723C36AB2E1B", "sha3_384": "4a99e5698b2ca4c828ed52a3c05f9b5dd2b371ec0e9447a7bb51f63040e7363215148678aaf16ea59754a262c6a30816", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\52\\iexplore.exe", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x140000000", "entrypoint": "0x00001cb0", "ep_bytes": "4883ec28e8fb0200004883c428e96efd", "peid_signatures": null, "reported_checksum": "0x000d37eb", "actual_checksum": "0x000d37eb", "osversion": "10.0", "machine_type": "IMAGE_FILE_MACHINE_AMD64", "pdbpath": "iexplore.pdb", "imports": { "USER32": { "dll": "USER32.dll", "imports": [ { "address": "0x140007310", "name": "GetWindowThreadProcessId" }, { "address": "0x140007318", "name": "AllowSetForegroundWindow" }, { "address": "0x140007320", "name": "FindWindowExW" }, { "address": "0x140007328", "name": "SendMessageTimeoutW" }, { "address": "0x140007330", "name": "IsWindowVisible" }, { "address": "0x140007338", "name": "SetUserObjectInformationW" }, { "address": "0x140007340", "name": "IsWindowEnabled" } ] }, "msvcrt": { "dll": "msvcrt.dll", "imports": [ { "address": "0x140007408", "name": "memcpy_s" }, { "address": "0x140007410", "name": "iswspace" }, { "address": "0x140007418", "name": "_vsnwprintf" }, { "address": "0x140007420", "name": "__C_specific_handler" }, { "address": "0x140007428", "name": "wcsncmp" }, { "address": "0x140007430", "name": "free" }, { "address": "0x140007438", "name": "_XcptFilter" }, { "address": "0x140007440", "name": "_amsg_exit" }, { "address": "0x140007448", "name": "__wgetmainargs" }, { "address": "0x140007450", "name": "__set_app_type" }, { "address": "0x140007458", "name": "exit" }, { "address": "0x140007460", "name": "_exit" }, { "address": "0x140007468", "name": "_cexit" }, { "address": "0x140007470", "name": "__setusermatherr" }, { "address": "0x140007478", "name": "_initterm" }, { "address": "0x140007480", "name": "memset" }, { "address": "0x140007488", "name": "_wcmdln" }, { "address": "0x140007490", "name": "_fmode" }, { "address": "0x140007498", "name": "_commode" }, { "address": "0x1400074a0", "name": "_lock" }, { "address": "0x1400074a8", "name": "_unlock" }, { "address": "0x1400074b0", "name": "__dllonexit" }, { "address": "0x1400074b8", "name": "_onexit" }, { "address": "0x1400074c0", "name": "?terminate@@YAXXZ" } ] }, "KERNEL32": { "dll": "KERNEL32.dll", "imports": [ { "address": "0x1400071a0", "name": "CloseHandle" }, { "address": "0x1400071a8", "name": "OpenSemaphoreW" }, { "address": "0x1400071b0", "name": "WaitForSingleObjectEx" }, { "address": "0x1400071b8", "name": "OutputDebugStringW" }, { "address": "0x1400071c0", "name": "HeapSetInformation" }, { "address": "0x1400071c8", "name": "FormatMessageW" }, { "address": "0x1400071d0", "name": "DelayLoadFailureHook" }, { "address": "0x1400071d8", "name": "ResolveDelayLoadedAPI" }, { "address": "0x1400071e0", "name": "GetProcAddress" }, { "address": "0x1400071e8", "name": "HeapAlloc" }, { "address": "0x1400071f0", "name": "GetLastError" }, { "address": "0x1400071f8", "name": "GetSystemTimeAsFileTime" }, { "address": "0x140007200", "name": "ReleaseMutex" }, { "address": "0x140007208", "name": "UnhandledExceptionFilter" }, { "address": "0x140007210", "name": "RtlVirtualUnwind" }, { "address": "0x140007218", "name": "RtlLookupFunctionEntry" }, { "address": "0x140007220", "name": "RtlCaptureContext" }, { "address": "0x140007228", "name": "GetTickCount" }, { "address": "0x140007230", "name": "GetCurrentThreadId" }, { "address": "0x140007238", "name": "QueryPerformanceCounter" }, { "address": "0x140007240", "name": "SetUnhandledExceptionFilter" }, { "address": "0x140007248", "name": "GetStartupInfoW" }, { "address": "0x140007250", "name": "Sleep" }, { "address": "0x140007258", "name": "IsDebuggerPresent" }, { "address": "0x140007260", "name": "SetDllDirectoryW" }, { "address": "0x140007268", "name": "DebugBreak" }, { "address": "0x140007270", "name": "GetModuleHandleW" }, { "address": "0x140007278", "name": "GetProcessHeap" }, { "address": "0x140007280", "name": "GetCurrentProcessId" }, { "address": "0x140007288", "name": "DeleteCriticalSection" }, { "address": "0x140007290", "name": "LocalFree" }, { "address": "0x140007298", "name": "GetModuleFileNameA" }, { "address": "0x1400072a0", "name": "CreateSemaphoreExW" }, { "address": "0x1400072a8", "name": "HeapFree" }, { "address": "0x1400072b0", "name": "SetLastError" }, { "address": "0x1400072b8", "name": "GetCommandLineW" }, { "address": "0x1400072c0", "name": "GetCurrentProcess" }, { "address": "0x1400072c8", "name": "ReleaseSemaphore" }, { "address": "0x1400072d0", "name": "GetModuleHandleExW" }, { "address": "0x1400072d8", "name": "TerminateProcess" }, { "address": "0x1400072e0", "name": "InitializeCriticalSection" }, { "address": "0x1400072e8", "name": "SetErrorMode" }, { "address": "0x1400072f0", "name": "WaitForSingleObject" }, { "address": "0x1400072f8", "name": "LocalAlloc" }, { "address": "0x140007300", "name": "CreateMutexExW" } ] }, "api-ms-win-downlevel-advapi32-l1-1-0": { "dll": "api-ms-win-downlevel-advapi32-l1-1-0.dll", "imports": [ { "address": "0x140007350", "name": "RegGetValueW" }, { "address": "0x140007358", "name": "EventRegister" }, { "address": "0x140007360", "name": "EventWriteTransfer" }, { "address": "0x140007368", "name": "EventWriteEx" }, { "address": "0x140007370", "name": "EventUnregister" } ] }, "api-ms-win-downlevel-shell32-l1-1-0": { "dll": "api-ms-win-downlevel-shell32-l1-1-0.dll", "imports": [ { "address": "0x140007390", "name": "SetCurrentProcessExplicitAppUserModelID" } ] }, "ADVAPI32": { "dll": "ADVAPI32.dll", "imports": [ { "address": "0x140007190", "name": "EventSetInformation" } ] }, "iertutil": { "dll": "iertutil.dll", "imports": [] }, "api-ms-win-downlevel-shlwapi-l1-1-0": { "dll": "api-ms-win-downlevel-shlwapi-l1-1-0.dll", "imports": [ { "address": "0x1400073a0", "name": "StrStrIW" } ] }, "api-ms-win-downlevel-ole32-l1-1-0": { "dll": "api-ms-win-downlevel-ole32-l1-1-0.dll", "imports": [ { "address": "0x140007380", "name": "CoCreateGuid" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x00008c28", "size": "0x000000c8" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x0000d000", "size": "0x000bd5a0" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x0000b000", "size": "0x000005a0" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x000cc000", "size": "0x000029c8" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x000cb000", "size": "0x00000070" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00007df8", "size": "0x00000070" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00007168", "size": "0x00000028" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00007020", "size": "0x00000148" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00007190", "size": "0x00000340" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00008a50", "size": "0x00000060" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00001000", "virtual_address": "0x00001000", "virtual_size": "0x00004dfc", "size_of_data": "0x00005000", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "5.93" }, { "name": "fothk", "raw_address": "0x00006000", "virtual_address": "0x00006000", "virtual_size": "0x00001000", "size_of_data": "0x00001000", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "0.02" }, { "name": ".rdata", "raw_address": "0x00007000", "virtual_address": "0x00007000", "virtual_size": "0x0000270e", "size_of_data": "0x00003000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "3.84" }, { "name": ".data", "raw_address": "0x0000a000", "virtual_address": "0x0000a000", "virtual_size": "0x000009e0", "size_of_data": "0x00001000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.13" }, { "name": ".pdata", "raw_address": "0x0000b000", "virtual_address": "0x0000b000", "virtual_size": "0x000005a0", "size_of_data": "0x00001000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "1.86" }, { "name": ".didat", "raw_address": "0x0000c000", "virtual_address": "0x0000c000", "virtual_size": "0x00000038", "size_of_data": "0x00001000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.06" }, { "name": ".rsrc", "raw_address": "0x0000d000", "virtual_address": "0x0000d000", "virtual_size": "0x000bd5a0", "size_of_data": "0x000be000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "6.45" }, { "name": ".reloc", "raw_address": "0x000cb000", "virtual_address": "0x000cb000", "virtual_size": "0x000000c8", "size_of_data": "0x00001000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "0.30" } ], "overlay": { "offset": "0x000cc000", "size": "0x000029c8" }, "resources": [ { "name": "EDPENLIGHTENEDAPPINFOID", "offset": "0x000294a0", "size": "0x00000002", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "1.00" }, { "name": "EDPPERMISSIVEAPPINFOID", "offset": "0x000294a8", "size": "0x00000002", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "1.00" }, { "name": "MUI", "offset": "0x000ca448", "size": "0x00000158", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.12" }, { "name": "WEVT_TEMPLATE", "offset": "0x00010130", "size": "0x0001936a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.34" }, { "name": "RT_ICON", "offset": "0x000294b0", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.95" }, { "name": "RT_ICON", "offset": "0x00029b18", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.39" }, { "name": "RT_ICON", "offset": "0x00029e00", "size": "0x000001e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.43" }, { "name": "RT_ICON", "offset": "0x00029fe8", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.38" }, { "name": "RT_ICON", "offset": "0x0002a110", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.21" }, { "name": "RT_ICON", "offset": "0x0002afb8", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.88" }, { "name": "RT_ICON", "offset": "0x0002b860", "size": "0x000006c8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.93" }, { "name": "RT_ICON", "offset": "0x0002bf28", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.43" }, { "name": "RT_ICON", "offset": "0x0002c490", "size": "0x0000cbf1", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.97" }, { "name": "RT_ICON", "offset": "0x00039088", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.96" }, { "name": "RT_ICON", "offset": "0x0003b630", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.45" }, { "name": "RT_ICON", "offset": "0x0003c6d8", "size": "0x00000988", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.62" }, { "name": "RT_ICON", "offset": "0x0003d060", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.36" }, { "name": "RT_ICON", "offset": "0x0003d588", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.07" }, { "name": "RT_ICON", "offset": "0x0003dbf0", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.70" }, { "name": "RT_ICON", "offset": "0x0003ded8", "size": "0x000001e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.57" }, { "name": "RT_ICON", "offset": "0x0003e0c0", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.11" }, { "name": "RT_ICON", "offset": "0x0003e1e8", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.08" }, { "name": "RT_ICON", "offset": "0x0003f090", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.87" }, { "name": "RT_ICON", "offset": "0x0003f938", "size": "0x000006c8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.22" }, { "name": "RT_ICON", "offset": "0x00040000", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.45" }, { "name": "RT_ICON", "offset": "0x00040568", "size": "0x000097d2", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.98" }, { "name": "RT_ICON", "offset": "0x00049d40", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.46" }, { "name": "RT_ICON", "offset": "0x0004c2e8", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.94" }, { "name": "RT_ICON", "offset": "0x0004d390", "size": "0x00000988", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.95" }, { "name": "RT_ICON", "offset": "0x0004dd18", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.91" }, { "name": "RT_ICON", "offset": "0x0004e240", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.12" }, { "name": "RT_ICON", "offset": "0x0004e528", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.64" }, { "name": "RT_ICON", "offset": "0x0004edd0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.13" }, { "name": "RT_ICON", "offset": "0x0004fea8", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.88" }, { "name": "RT_ICON", "offset": "0x000501a8", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.69" }, { "name": "RT_ICON", "offset": "0x00050490", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.98" }, { "name": "RT_ICON", "offset": "0x000505b8", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.00" }, { "name": "RT_ICON", "offset": "0x00050e60", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.69" }, { "name": "RT_ICON", "offset": "0x000513c8", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.13" }, { "name": "RT_ICON", "offset": "0x00052470", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.01" }, { "name": "RT_ICON", "offset": "0x00052938", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.90" }, { "name": "RT_ICON", "offset": "0x00052c20", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.68" }, { "name": "RT_ICON", "offset": "0x00052d48", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.99" }, { "name": "RT_ICON", "offset": "0x000535f0", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.84" }, { "name": "RT_ICON", "offset": "0x00053b58", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.33" }, { "name": "RT_ICON", "offset": "0x00054c00", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.42" }, { "name": "RT_ICON", "offset": "0x000550c8", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.75" }, { "name": "RT_ICON", "offset": "0x000553b0", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.37" }, { "name": "RT_ICON", "offset": "0x00055c58", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.28" }, { "name": "RT_ICON", "offset": "0x00056d30", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.80" }, { "name": "RT_ICON", "offset": "0x00057018", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.75" }, { "name": "RT_ICON", "offset": "0x000578c0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.35" }, { "name": "RT_ICON", "offset": "0x00058998", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.97" }, { "name": "RT_ICON", "offset": "0x00058c80", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.24" }, { "name": "RT_ICON", "offset": "0x00058da8", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.91" }, { "name": "RT_ICON", "offset": "0x00059650", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.13" }, { "name": "RT_ICON", "offset": "0x00059bb8", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.89" }, { "name": "RT_ICON", "offset": "0x0005ac60", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.84" }, { "name": "RT_ICON", "offset": "0x0005b128", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.18" }, { "name": "RT_ICON", "offset": "0x0005b410", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.31" }, { "name": "RT_ICON", "offset": "0x0005b560", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.20" }, { "name": "RT_ICON", "offset": "0x0005b688", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.19" }, { "name": "RT_ICON", "offset": "0x0005bbf0", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.48" }, { "name": "RT_ICON", "offset": "0x0005c088", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.40" }, { "name": "RT_ICON", "offset": "0x0005c1b0", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.74" }, { "name": "RT_ICON", "offset": "0x0005c718", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.27" }, { "name": "RT_ICON", "offset": "0x0005cbb0", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.11" }, { "name": "RT_ICON", "offset": "0x0005ccd8", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.45" }, { "name": "RT_ICON", "offset": "0x0005d240", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.91" }, { "name": "RT_ICON", "offset": "0x0005d6d8", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.07" }, { "name": "RT_ICON", "offset": "0x0005dd40", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.70" }, { "name": "RT_ICON", "offset": "0x0005e028", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.11" }, { "name": "RT_ICON", "offset": "0x0005e150", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.08" }, { "name": "RT_ICON", "offset": "0x0005eff8", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.87" }, { "name": "RT_ICON", "offset": "0x0005f8a0", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.45" }, { "name": "RT_ICON", "offset": "0x0005fe08", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.46" }, { "name": "RT_ICON", "offset": "0x000623b0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.94" }, { "name": "RT_ICON", "offset": "0x00063458", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.91" }, { "name": "RT_ICON", "offset": "0x00063948", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.75" }, { "name": "RT_ICON", "offset": "0x00063c30", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.63" }, { "name": "RT_ICON", "offset": "0x00063d58", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.37" }, { "name": "RT_ICON", "offset": "0x00064600", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.37" }, { "name": "RT_ICON", "offset": "0x00064b68", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.28" }, { "name": "RT_ICON", "offset": "0x00065c10", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.37" }, { "name": "RT_ICON", "offset": "0x000660d8", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.86" }, { "name": "RT_ICON", "offset": "0x000663c0", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.30" }, { "name": "RT_ICON", "offset": "0x000664e8", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.02" }, { "name": "RT_ICON", "offset": "0x00066d90", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.82" }, { "name": "RT_ICON", "offset": "0x000672f8", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.12" }, { "name": "RT_ICON", "offset": "0x000683a0", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.25" }, { "name": "RT_ICON", "offset": "0x00068868", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.86" }, { "name": "RT_ICON", "offset": "0x00068b50", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.30" }, { "name": "RT_ICON", "offset": "0x00068c78", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.02" }, { "name": "RT_ICON", "offset": "0x00069520", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.82" }, { "name": "RT_ICON", "offset": "0x00069a88", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.12" }, { "name": "RT_ICON", "offset": "0x0006ab30", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.25" }, { "name": "RT_ICON", "offset": "0x0006aff8", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.86" }, { "name": "RT_ICON", "offset": "0x0006b2e0", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.30" }, { "name": "RT_ICON", "offset": "0x0006b408", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.02" }, { "name": "RT_ICON", "offset": "0x0006bcb0", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.82" }, { "name": "RT_ICON", "offset": "0x0006c218", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.12" }, { "name": "RT_ICON", "offset": "0x0006d2c0", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.25" }, { "name": "RT_ICON", "offset": "0x0006d788", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.52" }, { "name": "RT_ICON", "offset": "0x0006da70", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.69" }, { "name": "RT_ICON", "offset": "0x0006db98", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.26" }, { "name": "RT_ICON", "offset": "0x0006e440", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.99" }, { "name": "RT_ICON", "offset": "0x0006e9a8", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.73" }, { "name": "RT_ICON", "offset": "0x0006fa50", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.04" }, { "name": "RT_ICON", "offset": "0x0006ff18", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.58" }, { "name": "RT_ICON", "offset": "0x00070200", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.46" }, { "name": "RT_ICON", "offset": "0x00070328", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.54" }, { "name": "RT_ICON", "offset": "0x00070bd0", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.70" }, { "name": "RT_ICON", "offset": "0x00071138", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.37" }, { "name": "RT_ICON", "offset": "0x000721e0", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.55" }, { "name": "RT_ICON", "offset": "0x000726a8", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.04" }, { "name": "RT_ICON", "offset": "0x00072990", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.36" }, { "name": "RT_ICON", "offset": "0x00073238", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.19" }, { "name": "RT_ICON", "offset": "0x00074310", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.23" }, { "name": "RT_ICON", "offset": "0x000745f8", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.90" }, { "name": "RT_ICON", "offset": "0x00074ea0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.00" }, { "name": "RT_ICON", "offset": "0x00075f78", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.21" }, { "name": "RT_ICON", "offset": "0x000765e0", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.81" }, { "name": "RT_ICON", "offset": "0x000768c8", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.32" }, { "name": "RT_ICON", "offset": "0x000769f0", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.78" }, { "name": "RT_ICON", "offset": "0x00077898", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.39" }, { "name": "RT_ICON", "offset": "0x00078140", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.26" }, { "name": "RT_ICON", "offset": "0x000786a8", "size": "0x0000414c", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.92" }, { "name": "RT_ICON", "offset": "0x0007c7f8", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.44" }, { "name": "RT_ICON", "offset": "0x0007eda0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.16" }, { "name": "RT_ICON", "offset": "0x0007fe48", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.29" }, { "name": "RT_ICON", "offset": "0x00080348", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.95" }, { "name": "RT_ICON", "offset": "0x000809b0", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.39" }, { "name": "RT_ICON", "offset": "0x00080c98", "size": "0x000001e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.43" }, { "name": "RT_ICON", "offset": "0x00080e80", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.38" }, { "name": "RT_ICON", "offset": "0x00080fa8", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.21" }, { "name": "RT_ICON", "offset": "0x00081e50", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.88" }, { "name": "RT_ICON", "offset": "0x000826f8", "size": "0x000006c8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.93" }, { "name": "RT_ICON", "offset": "0x00082dc0", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.43" }, { "name": "RT_ICON", "offset": "0x00083328", "size": "0x0000cbf1", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.97" }, { "name": "RT_ICON", "offset": "0x0008ff20", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.96" }, { "name": "RT_ICON", "offset": "0x000924c8", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.45" }, { "name": "RT_ICON", "offset": "0x00093570", "size": "0x00000988", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.62" }, { "name": "RT_ICON", "offset": "0x00093ef8", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.36" }, { "name": "RT_ICON", "offset": "0x00094420", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.07" }, { "name": "RT_ICON", "offset": "0x00094a88", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.70" }, { "name": "RT_ICON", "offset": "0x00094d70", "size": "0x000001e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.57" }, { "name": "RT_ICON", "offset": "0x00094f58", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.11" }, { "name": "RT_ICON", "offset": "0x00095080", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.08" }, { "name": "RT_ICON", "offset": "0x00095f28", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.87" }, { "name": "RT_ICON", "offset": "0x000967d0", "size": "0x000006c8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.22" }, { "name": "RT_ICON", "offset": "0x00096e98", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.45" }, { "name": "RT_ICON", "offset": "0x00097400", "size": "0x000097d2", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.98" }, { "name": "RT_ICON", "offset": "0x000a0bd8", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.46" }, { "name": "RT_ICON", "offset": "0x000a3180", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.94" }, { "name": "RT_ICON", "offset": "0x000a4228", "size": "0x00000988", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.95" }, { "name": "RT_ICON", "offset": "0x000a4bb0", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.91" }, { "name": "RT_ICON", "offset": "0x000a50d8", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.95" }, { "name": "RT_ICON", "offset": "0x000a5740", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.39" }, { "name": "RT_ICON", "offset": "0x000a5a28", "size": "0x000001e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.43" }, { "name": "RT_ICON", "offset": "0x000a5c10", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.38" }, { "name": "RT_ICON", "offset": "0x000a5d38", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.21" }, { "name": "RT_ICON", "offset": "0x000a6be0", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.88" }, { "name": "RT_ICON", "offset": "0x000a7488", "size": "0x000006c8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.93" }, { "name": "RT_ICON", "offset": "0x000a7b50", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.43" }, { "name": "RT_ICON", "offset": "0x000a80b8", "size": "0x0000cbf1", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.97" }, { "name": "RT_ICON", "offset": "0x000b4cb0", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.96" }, { "name": "RT_ICON", "offset": "0x000b7258", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.45" }, { "name": "RT_ICON", "offset": "0x000b8300", "size": "0x00000988", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.62" }, { "name": "RT_ICON", "offset": "0x000b8c88", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "6.36" }, { "name": "RT_ICON", "offset": "0x000b91b0", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.07" }, { "name": "RT_ICON", "offset": "0x000b9818", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.70" }, { "name": "RT_ICON", "offset": "0x000b9b00", "size": "0x000001e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.57" }, { "name": "RT_ICON", "offset": "0x000b9ce8", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.11" }, { "name": "RT_ICON", "offset": "0x000b9e10", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.08" }, { "name": "RT_ICON", "offset": "0x000bacb8", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.87" }, { "name": "RT_ICON", "offset": "0x000bb560", "size": "0x000006c8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.22" }, { "name": "RT_ICON", "offset": "0x000bbc28", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.45" }, { "name": "RT_ICON", "offset": "0x000bc190", "size": "0x000097d2", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.98" }, { "name": "RT_ICON", "offset": "0x000c5968", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.46" }, { "name": "RT_ICON", "offset": "0x000c7f10", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.94" }, { "name": "RT_ICON", "offset": "0x000c8fb8", "size": "0x00000988", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.95" }, { "name": "RT_ICON", "offset": "0x000c9940", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.91" }, { "name": "RT_GROUP_ICON", "offset": "0x000b90f0", "size": "0x000000bc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.20" }, { "name": "RT_GROUP_ICON", "offset": "0x00094360", "size": "0x000000bc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.19" }, { "name": "RT_GROUP_ICON", "offset": "0x000c9da8", "size": "0x000000bc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.18" }, { "name": "RT_GROUP_ICON", "offset": "0x000a5018", "size": "0x000000bc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.19" }, { "name": "RT_GROUP_ICON", "offset": "0x0003d4c8", "size": "0x000000bc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.07" }, { "name": "RT_GROUP_ICON", "offset": "0x0004e180", "size": "0x000000bc", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.14" }, { "name": "RT_GROUP_ICON", "offset": "0x0004fe78", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.59" }, { "name": "RT_GROUP_ICON", "offset": "0x00050190", "size": "0x00000014", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.32" }, { "name": "RT_GROUP_ICON", "offset": "0x00055068", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.80" }, { "name": "RT_GROUP_ICON", "offset": "0x000528d8", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.77" }, { "name": "RT_GROUP_ICON", "offset": "0x00056d00", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.59" }, { "name": "RT_GROUP_ICON", "offset": "0x00058968", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.59" }, { "name": "RT_GROUP_ICON", "offset": "0x0005b538", "size": "0x00000022", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.56" }, { "name": "RT_GROUP_ICON", "offset": "0x0005b0c8", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.82" }, { "name": "RT_GROUP_ICON", "offset": "0x0006feb8", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.79" }, { "name": "RT_GROUP_ICON", "offset": "0x0005c058", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.56" }, { "name": "RT_GROUP_ICON", "offset": "0x0005cb80", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.56" }, { "name": "RT_GROUP_ICON", "offset": "0x0005d6a8", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.56" }, { "name": "RT_GROUP_ICON", "offset": "0x00072648", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.82" }, { "name": "RT_GROUP_ICON", "offset": "0x000638c0", "size": "0x00000084", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.04" }, { "name": "RT_GROUP_ICON", "offset": "0x00066078", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.82" }, { "name": "RT_GROUP_ICON", "offset": "0x00068808", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.82" }, { "name": "RT_GROUP_ICON", "offset": "0x0006af98", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.82" }, { "name": "RT_GROUP_ICON", "offset": "0x0006d728", "size": "0x0000005a", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.82" }, { "name": "RT_GROUP_ICON", "offset": "0x000742e0", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.59" }, { "name": "RT_GROUP_ICON", "offset": "0x00075f48", "size": "0x00000030", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.59" }, { "name": "RT_GROUP_ICON", "offset": "0x000802b0", "size": "0x00000092", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.04" }, { "name": "RT_VERSION", "offset": "0x000c9e68", "size": "0x000005e0", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.46" }, { "name": "RT_MANIFEST", "offset": "0x0000f960", "size": "0x000007c9", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "4.91" } ], "versioninfo": [ { "name": "CompanyName", "value": "Microsoft Corporation" }, { "name": "FileDescription", "value": "Internet Explorer" }, { "name": "FileVersion", "value": "11.00.26100.8115 (WinBuild.160101.0800)" }, { "name": "InternalName", "value": "iexplore" }, { "name": "LegalCopyright", "value": "© Microsoft Corporation. All rights reserved." }, { "name": "OriginalFilename", "value": "IEXPLORE.EXE" }, { "name": "ProductName", "value": "Internet Explorer" }, { "name": "ProductVersion", "value": "11.00.26100.8115" }, { "name": "CompanyName", "value": "Microsoft Corporation" }, { "name": "FileDescription", "value": "Internet Explorer" }, { "name": "FileVersion", "value": "11.00.26100.8115" }, { "name": "InternalName", "value": "iexplore" }, { "name": "LegalCopyright", "value": "© Microsoft Corporation. All rights reserved." }, { "name": "OriginalFilename", "value": "IEXPLORE.EXE" }, { "name": "ProductName", "value": "Internet Explorer" }, { "name": "ProductVersion", "value": "11.00.26100.8115" }, { "name": "Translation", "value": "0x0409 0x04b0" } ], "imphash": "444e14d89c0c88fc100a108d54fd339f", "timestamp": "2016-04-29 12:31:17", "icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAARU0lEQVR4nN2ZeZRcVZ3HP/e+96q6qrqr93Snt3QnnYSQkITEhLCYEKOCMCoiBER0RBFRRkSczBCPo8dhZE7w6ICjZ5wZRFGGZCYqgpDkCCIIAiFkIyFLJ+ksvVYv1dVd26uq9+5v/qjOAlkI6sE586vzTr1a7n2f7/39fvf+7nuK/wMme+dF0JlqdLLKZLPnoE2N5A14/nAhLVsk7feGr8glT9VWvdOwR006Lo7g5Nt8L3UVgfKlOjqlUZVOKCPzImT3gTcGGQFXCuKaTrePH234JY+ufojsWpC/mAA5sKRWrOQyCaibdPWF07HbAui4kN0FIxsgkYUc4HMCJiD4+X4ee+IxvrHmQUaOinjHBPgdixskkLxahys/q6ova0b5CnPEkNxkGNthGM37pAEXg4+SHEnAw8ZSIaJoQJDUIR68927u3dNBei2I/eeEbL1rXTXI+cBcRKYrpK6yJFu/pGVP5YC/saG28caQUUYkv1/8oRdEj2wsqFGMVRCfNEmvj/3Dfex66WV2jaYZzuZJBSJIXQM1yz7IslA9i0vrWb5gIU/u6WALUPiTBbStXKdFeD9weUnQvriuJlpRMyFaXlEeCM8IbS+5rPZ31szp01H6E4g5jEm/rkzfFkzvbrwRbftDOnPosLNz1x8yaw4P0tE7SGwwzrDn4QIFiqGiDh7guZvu4ObSBm5ccD5Ln3majmv7SfxJAtpWrrtShJvaJtXMnTRlwoSq5uoy7ThU5PYyI/8LPjRpCLtyCcgQmE1I4nXo34yKDaH6NU93z+WlwmUclIqW0Wmj7ylv6H1NHvnxvnHwwonJyouMzV7MDxfXc3F1I+3RCsp6+hn7owS0rVzfBPL1ya2172md3VJf0VARCYZsLJWnafQZLg2uZ9o5zaCnALvB3QPx19Cx3TAIv++fx5P5GxlqOgcVqQ9HfT8sff2lAz2D52XueNdaH71q832fT5x4zbVgvjc72i+MbdFhQpEQDqDftoC2leuXgHx9zsJps6YuaJ7ghB0CAUUoG2NK4kk+VHkQp3ousBOy+yHZDfHXIZZnZCTET9IrOFx7CW71FAKhcjwdoOAJwarmiomtqYq+vQdv6joyOLftjtUrDt73sZ0nXrv+vFIj6VRMtImg8QD1tgS0rVy/vKmx8u7m+e0NLdMqS0NBTRAoT+5lSvcDLJtVjS5pAP8pGHwS4kkYA5Lw2+SH2Ri+gUzzTCKVdYRKSvEI4HqQyxlydgCvJETF7LI6v6zrwsM7Ox9o/tJ/r+i6/7rnjwGkHKUsXOMxlEmSB8xZC2hbuX556+QJqxoumj6xpSkSjDhQAtQMbmTG8E9YMH8mShUgtwFij8MAMApS0Py08I/E6i7Frp1EZUUlUhIijybng+2BpRRKKRTgaYuKyZPLxSqZeWT7699pvn3N7V3fu/5lABwcxBg3Rudggixg9NnBr1va0FD5T+UXnjOxoTkSLLWgREF97Fnmj/wHC+degFIjkNkAvY9DHxCHIzKTfwuuYajtakomzyBSN4FgJEzA0oQ0RCwI2xAOKkIlmmDIJhS2CUQCRCc1lNbPnDEDZFXzF1c3AxiTrQKGX9tJdyqFu/ZsPNC2cl2LGL4anN3e0NwSDoYtCFjQ2LeeRdlf0jpnGdABqWeg/3kYAtLwK/ls/id7r+jvS4bT8ZEOV1n7KK8sD1ZWR8NzLplW19QYCTkaRAEKRCtAI2Iwno0vUN7SVFrIZGcOHjjwndbbf/Zp7dwSkQSH9uwnns1QAHhLASKsrD9/ypy2mVWRiBaComjqXc8lhSdomrEE2Aljz8LASxADkpg7t93c/dv4xY8lxTxmJNMLclg89ED/cPNA/3Dz3p2d1zQ011560YcvaGysDYaxwABia0zQxvgexmi8iE1Ve2u1yqYXD/T03QXufYVBsju3kabY5MylROtd697f2FLzg5YPz26viThUWYrJw7/hUvcJWqZfBGyHxAaIbYdBYAz/ky/c9LuUPeWLj979tT1n6rvljrVzRal7/+ozH1jUPilclvPA9SFVgGzWJ5P1SaXzpJMF3JEMsU2bOrOZ0eufbfrUzhV/T35tsVritDnQetc6DdwSnNbSUBqwCAHNQ89yUfpxWqYvBbbCyDroL8LLCP4nXrjl5zMD2avfCh7gyH3XbsOYm379wLqNA/F83rEgaEHIgoCjcRxNMOgQCFroSJDSxsYaz7fuSHSTOzr6ZxQA8v7GSbVzq9qi4SBC/cgmFqR+Rfu5i4FXYeQJ6NsBQ2BSylz13JefK4+Ebr3rm2tOWbefyrruX96jxKx6Zd2WPlvAAQIKHBscR2HbCttR2I5FaGJjtCxauuhK76ELTuzjTLPQlWWtE+vDNtQk9zEvvprZsxYAHZB4AmK7YQgkp7jxxbt6u+y5K3/wtfsTZwt/XMR1T+/ffejF/sFMTmuwbXBsRcDSOBqcgEXAVkhJgGjdxBrgmhNLjFMKaL3ryVoM86y6cDhaGObcwTUsmTcd6IHkBhjcUZznc4r7Rr/tbktM+c3WVX/9ytuFP2bC47s27hvWqjirBABtK2zLwrYV2tEEHI2uqS9FZEnjrT8uP6MARM5vbK2p146o9swLfHRGEBDIPAWxF4vwLvxafY1ne6YNZVXk8T8aHhBka+/BvqQF2Aq0KoaS5ShspbBtjeVoCAV0RUV5DcK8MwuA8+3q8vL27CauKd2ELm2E/O9g4LcwDKThmdzN9E78CJ39fkIp9dKfIgCRQ/Hh0bwGlDouwrYVlqXQWqM1aEtTUlFRJsixPDjdOjCpOpKMLLOeprF1AfASDP6quEilYGtmKftbPolTP4lJbenmwz2pp1ru/EVhHAZAFd8FOXYOiKjj/5FiIIsox7H0lLYJzVqBFlAatC7O8dpSKA1ohbY0OlxWgsjUMwoIaK9xlrPRuWLuFGAAklsh7sEYdCca2VT/JZg4Dbu0lI9/5pJygdlHF5STXCrHM26cGwF8ARFBBIxAwSg8AVTRC0oVhSg17gUACyRc6gAtnO56AC3l8dqbpx+0lIqC7IbRXTAKXsJhQ+Sr5Jvm4ZSXY9nOsU70aTqTk06KQooVxPhLFQHHq4o3gqmj32uU0ijbthBTdloBcugD4Q9O3dXY0LIQ2IcMvwRDw5BQPJz7PINt78OuqoJgEINC3sj2xpGXE85PeH/z8i9v6kC9SfAx0+BbjhaRYwLeEEKyaYmiVE+9adFILTKEuDtgaDsMwVODC+mcuZxoVQ1WSQil1Bshj7OeLOTE304Q82boo160pJjIAQW+Uvga/ACYHPgWBjGpUwogHCo1kvi4XXu14xf2oOJ7UHHojYV4uvY2dE0bhCN4SmNLsZIUwJhiTB+FeCtTR/nHY92iOOsgx1WIBkRhWxrbsQkEIGD7IJ5gZNtJAmT/YkWpblWl06/C9BlvZBdq6AB6SPGf6c8RO2chE8qiFLSNp8AbB/7FQy+PHe6Od8XjqXyxo/GZZnyopeimE2afM81Qx9qo4+4ShQgiBkSUiBlAZO/JHtDBEiPJj+iSy6Mq1+GbkQ5kKM+Gg1PY03o5wbIK8oEAOaDEgF+80cThnnhXPJ66rOv+63rOYvD/7Hbc445dr8IVH4ERsd1DHmNHxO22+R/r02QqJuEFS8gbRd5A1hNcUywJJ7U3VgAXnO4C74gAee1SWyx3jooGavH3Gyu1PScJJQ91zeFg3WK8cClG2RQ8IWOEHOAZIS8wZ+k5tYh8qvn2NWe1Pf1zWzGESuwQVvwqvKBidAdqsMs3R0Kjv5HlZS6ldtgK4OUNuaDB8TRZS7BRKIGqymBg8tSGWZ0dPe8GnvtjIBo+92A7ItcDtYgpF5EqxAQRiYpIEDElxfiXLsRsQ+RbsYe/PHpcQEhVqSDz8Q2MdcAYZt9ue9NwdfvMrAQa3ZxgF3ycnIWrDbalCIhCKyGoFXM/MK/uQEf3V5r+5pHN3d+/IXUm2FPAhxC577Lr3ndp24zaSN62KBjBGEhmfdIZIZ3yyceG6Xt9f3P37p29R+EBtOxbpFFeMyWBSvKjkAEZYqxzU/LnA73xjf6Yl3ezPrmsTybvk88Z3IKQHg+lAkJTQyS84L3vWgSyqum2h8NvA95B5FtzLpq1cPLsxogJlpA3DqN5h1haE0to+kcMfUMuXUmLkf7YiBjzwxP70IjWwtgFFAYUya2QAr+Pnh297LHjvQ+E4wOxsUSeXGZcRMGQc33cvJD0hKwHOYFFy9pr5y+dey3w06bbfjb1NMzH4W95sAWRH8684NyPX3TFvFrP0rg+pAtQKPi4WR+34JEreLiuwe3cN5Iajj058MhXXj6xHxsPCz02hUwnJIAs9O9n975DxGZ3/sOmV+rXPBIJl39+NFIfVUGN1pqMUmjbYClN1lbFUlcrLrpsRm1NQ8X7Nm/YfJ584afPI/JrYB8iAyAuQosgExHeK8ZcvvSqS9rOvWBKuadt8j5kfHB9IZMzuHlDzjXk0h6p2GButOO1Q4h8480DYRMQS4lbicfRJyP+q9vY7RtSgG9E/fPYgc5ZWlnvtabXB0FjLIWo8cMStAdiKQJKMXVWQ7T93Lro4KF4086X914+1DfiJpPpgpf3pbyyNFhaHnamntdW3j6nuUwcR+WVJu9B2oesK7hugUxWSLs+mZxHdsw1dldHAuPdPbB6RexkAfjg5y2guPDlyMZdBoA84HXdf91o8+1rvuLtP/Bwr7ZmN06rCyilEK0xWiEGrBJdbKsVxgJLWdS21YSXtdWEtRHEHF1twSD4SlNAUxAoFCDjQaYgZAs+GdeQzXq4GY/CaAFv72vx4SOd9w6sXvHoqUJR05c34qvkseLK4BfGp/qjm+eu712/1zLerXrf3t3D+2L5xEiOTCJPJuWRzviMZg1JTxgtCKk8ZD1wjSJrFFmlcS0L17LIaousssmIJj0e76MFSOV8UpkC2ZRHNu2Ry/qYMZfcrq3DQ/t3rRGR+0+XS5pgzhPXOQQUi5sATiA4/kTqBOv6149ttjzvM4Xdu17N7e/LxAcyjCXyZNIeybRPMm3I5oVkoXiMecKoD6MejPmQ9GBs/BgtQCIPiZwwlvFIuj6ZjE8665FzC8hYxiR3bBkc2LvjRyJy5+Cav/NPJ8AmlDHZOM9FAtYtWL5WQcKzz6Nl/e9PLiy7v3/D5qbbHr4+tWvXqjo/f1k2W1tRqI3qaEUQL2JT8G0crbB1cRcl45WmGq808wCeouALnhG8gsHLGby8j+d6KNeD3oHc4Os748NdB/9lYPWKb58O/KgpgMQT9RXR5uQjivQcMuDH2P3de7h10yscWgvemxvdsOqbwUMj0S+mC84nI9MXTpK6+jInGlIl0RKCIRttaSy7uNs6up8SAN+AEQyCFAQ/ZxDPYGU8cHN0bd853L1j2x4l5p6B1SvWvRX8MQHyWKWOq9ziqsbMv+NTSh4Kwzy/ezv32FV257mLyvOooIOiDJ2ZhspOxuT15p7J2XteXv7u7fGWJRPOO39ioLa2zAqHbCccRIcstGNRTHgLMeBogbyP8kH7PlIw5Ecz/lDH/mT//n0j2bHRh0Tku4NrVpz13b1ju7sHl1uBK670PzShja8rTTXFHEgL9CibQSwUFh6GLC49foLXe7awtWuY7hvGvh/17ZJrRHFlSVnZtNIJNZFIdVUoWFoatAK2ZQVLbK1AK4Wfy3pe2vUzg8PZRG9varin+zAiv0Tk0YHVf3vwbMFPEgDwhVoCyz/K3PkX8rFQJXN1iFosPIQRDL1mjI6Rg3S8uoWDf3iV2N4ORimuHnnAXwum4ZYftSIyX8Sch8hUxNSKSBMiIEaJSDciMcTsEZEXBv7rzmffLvRpBVxb/GxFo0TnL6C5vIwJAYuSfI58IsHIkR4SnQdJjgMfBX/j49B32E75fODa8b01EIRjdzyE4j35AsXElr8k+P8b+1/HII8J8W5B6AAAAABJRU5ErkJggg==", "icon_hash": "9afc87754e29bafb0903e08398ce1745", "icon_fuzzy": "af8f90e3b3853bbf98e9e4a582f8229a", "icon_dhash": "c070cc9cfecde976", "imported_dll_count": 9 }, "data": null, "strings": [ "`X\"8|N", "Browseui_HangUI_ShowNotificationBar", "hpzzzz", "nnqqqqqzqqqojiUR:", "Find_FindFirstHit", "NewVisibleState", "EUPP_HandleAsyncOperationResult_Perftrack", "oB!:6", "CIMContextMenuBar_Hide_Perftrack", "AFR#@.2#$", "EmptyTab_Timer_Timeout", "*00>V", ".CRT$XCA", "EmptyTab_Reuse_ReuseTabThread_Failed", "Browseui_TabBand_Activity", "_ppppppppppppppppppnppn_", "r", "r4A\\p", "Browseui_Favs_ItemsChanged", "S[OLN", "ElementId", "NotificationBar_Hide", "8888888888888", "j[//G", "R]LYr", "9^\"VE", "Bing_Suggestions_ServiceResponse", "DDDDO", "(1AH-", "Pl$#l", " ", "ButtonText", "^H)'I2g", "Y3{?q", "jijFmkm", "ImageType", "bf_^`", "KNJF3&", "OC_tA", "HistoryBrokerStartup", "NewTabPageData_Build", "TerminateProcess", "LogHr", "X[jenab", "ContextName", "DependentPID", "OnlineHistoryAdd", "DataModel_Provider_WorkerThread", "nh4GZ", "D,/V%~", "XWVONc}", " N''T ", "FindBar_TermChange", "FFFBFB?B?333201", "01111111111111111111111", "qnh,\"", "Microsoft-IEFRAME", "Microsoft.Windows.App.Browser", "w\\3+M*7", "p>80G", " http://www.microsoft.com/windows0", "d7z'l", "DLM_Security_Malware", "z;=??<5b-", "WS_ExecuteQuery", "!!! ", "Thumbnail_RemoveGutters", "IDAT9#", "tabhydration", "NotificationBar_OverrideHide", "IsWindowEnabled", "Find_FindHits", "?&\"k0", "QGPPQUUc", "DataModel_Provider_Query", "BFCache", "hwndNext", "5<_`O", "EmptyTab_Conversion_CleanUpBrowserTab_Begin", ":DKWWKFB$", "Shdocvw_BaseBrowser_FireEvent_NewWindow", "DIConfidence", "%!-ae^'", "Title", "Z?\"%9", "TabRoaming_KeepTabInDirtyList", "i=uSg", "om7Lm", "Microsoft Corporation100.", "Browseui_HangUI_CreateCoverWindow", "ImageStore_Activity_SingleImage", "fA9>u", " uiAccess=\"false\"/>", "RDQT(", "!Jht~{{{{{p[3", "QSA_UpdateGroup_Perftrack", ".didat$5", "OnlineHistoryDelete", "|l|gp", "\\__gahss", "Fd?B(", "Immersive_Travellog_SwipeStartThresholdMet", "UnifiedListView_Populate", "D$@E3", "_ppppppppppppppppp[pf[L", "CreateSemaphoreExW", "V~l#a", ",28hQ", "oL$0f", "333~kO", "1F$A\"w", "ReturnHr", "sharecharm", "txuscUU", "c#b&*|||", ".text$mn", "D2J1\"", "'fhimmmhf+%", "Shdocvw_VirtualTab_NavigateInWebBrowser_Navigate2Call", "hppii", "hET\">", "`fothk", "A=biy", "jjjnnpp", ":fZ30L", "Yhttp://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Code%20Signing%20PCA%202024.crl0w", "LA>H5", "CIMNavBar_Hide_Perftrack", "ResumeReason", "Browseui_HangUI_AttachThreadInputHelper", "IEFRAME.dll", ".((%$ ", ".rdata$zETW2", "}F*Lj", "|yu~z", "HcAg", "wwwww", "TabRoaming_WriteProcessInfo", "Browseui_SelectTabTimerTriggered", "Microsoft Time-Stamp Service0", "subsystem", "Browseui_HungTabHeartBeat_Timer_Invisible", "GetModuleHandleW", "*,315", "onecore\\internal\\sdk\\inc\\wil\\opensource\\wil\\safecast.h", "{T kv", "__set_app_type", "IMDownloadWindow_Show_Perftrack", "'->]7", "2111111111111111111110", "wininet", "ploEwoq", "DominantImageUrl2", "48r;\"", "9Hi]j", "Oj1E /", "Reason", "tz5@*", "UserInitiated", "1YYYY1YY7=6,,,,$VVVVUW ", "CloseHandle", "1YYYY1YYYYYYYYYYYYYYWWWVVV0", "j(#)3", "Find_HighlightHitsStatus", "ExtensionCreate", "YLD|y1", "LcA8Hcp", "OC~r<", "immersive", "uckhl", "Bing_Suggestions_ParseXmlResponse", "DownloadWindow_Items_Removed", "IEApplicationStart", ".00cfg", "Z,[iqe", "Recovery_ReadRecoveryStore", "?flew", "L9{Hu", "Shdocvw_VirtualTab_RedirectUrlWithBindInfo", "Browseui_Tabs_Move", "SetLastError", "\\-0XH1*", "hluv{", "SetHung", "tLB,\"", "TabRoaming_Delete", "%FAW1", "=0w8X", "/I}6&", "}s(-RihiPROKI:<&", "CreateHTMLPreview_ShowWindow", "reason", "Shdocvw_BaseBrowser_DocumentComplete", "NotificationManager_NotificationBarReady", "~;EmQ", ";;NI6", "HistorySearchSwitchView", "TabRoaming_Update", "_0Oio=NA", "-newtab", "s/Z7z", "Frame_CommandBandCreate", "]bolSTQML=<;-)s", ":NGdx", "FavCenterClose", "SCODEF:", ";NRlI", "888777777", "BrowserThreadProc_StartFrame", "Browseui_Tabs_OnNavigateComplete2", "|$8E3", ".CRT$XIAA", "?terminate@@YAXXZ", "1YYYY0QQQRQQQRQQQRQQ", "WaitingTaskCount", "XW_(P", "Find_HighlightHits", "BrowserThreadProc_Next", "&S|9a", "Frame_CommandBarCreate", "geeVU", "V%%(((", "Browseui_TabSuspension_Suspend", "TravelLogScreenshotNav_NewTab_IsNotReadyToSwitch", "WAVAWH", "-embedding", "Microsoft Corporation1&0$", "Browseui_ActivationRegistrar_OnCleanup", "Z\\ojhkSTMMM<=C&", "+?@(IJ", "8#8v\"", "14FF@E", ";p+3KK", "_ji6W", "CHANp", "7!}O\"", "`A>e_", "\\zq5%`", "HcT$ HcL$$H", "SendMessageTimeoutW", "3g033", "SetUnhandledExceptionFilter", "TASKl", ".ApX/", " N*;]a`G3'W ", "9_'LJ", "\"A_Rb", "Disable", "\"HMtcX", "IDATx", " A_A^_", "@D24E3C1D09E874225DAC529867B92629B3B8D6810A8BBC36F2510D361522927F0Z", "Ou5}?Y7", "ZWZZXXXVVZ", "[%hs]", "EventUnregister", "WCVB64''!", "WilError_03", "wwwwwwwwwwww", "wwwwwwwww", "DF443333130", "`v$J6", "g Sk?eY", " ", "Find_FindFirstHit_Perftrack", "", "NewTabPage_SearchBox_Show", "TravelLogScreenshotNav_NewTab_IsReadyToSwitch", "Attach", "b > -", "DNnhf;O", "Find_HighlightHits_Perftrack", "MHMM7)", "kW)/Z0", "E}II}-$%#'TuSM", "LayerValue", "_vsnwprintf", "EmptyTab_Conversion_CleanUpBrowserTab_Failed", "(%&'00443445?", "wsL>W", "Browseui_BringBrowserTabAlternateOwnerForward", "UVWATAUAVAWH", "Hf iC", "1YYYY1YY ####%# VVVVVT", "+T]K(", "T$@E3", "261113184817Z0", "ihimzy{", "gdMkS7", "00.,,,4(", "!This program cannot be run in DOS mode.", "W1U!F@<0", "QRNNN", "(=Xen", "@@@@@@@@@@", "CreateThumbnail_Immersive_Perftrack", "Browseui_CBrowserFrame_CreateInstance", "Fsccspc", "Event Type", "DLM_Security_AppRep", "Frame_AddFirstTab", "VarFileInfo", "tccg|", "IdleManager_AddIdleTask", "ImageKey", " A_A^A\\", "AddonName", "1Y444V444VVVSVSVSSSSS1", ".didat$7", ");IQJ1+", "Immersive_Travellog_NavigationStart_TimeOut", "RRRRRRRRR", ".CRT$XIZ", "['/FWL", "1YYYY1YY+$$+%%%%VRNNNT", "jVUU@@7", "wwwwwwww", "_xssx", "(2Wt[9pd", "\\.I=Y", "Browseui_PrepareResizeAsync", "OPnb^", "PinnedSites_OfferedImagesComplete", "BrowserRoamedSettingChange_TrackingProtectionLists", "gDDh9", "//////////////", "wwwwww", "ProductVersion", "IsWindowVisible", "GetWindowThreadProcessId", "Shdocvw_BaseBrowser_FireEvent_WindowStateChanged", "_initterm", "Window_Maximized", "y|U3a", "DominantImageClassifier", "C?&f{fp", "QSA_OpenUnfilteredView_Perftrack", "uvv,opp", "Internet Explorer", "]_gmmqq", "}}5\"n", "w=(>?", "988r+++,", "llgwp", "ZUGa4", "HeapFree", "Browseui_Tabs_Tearoff_BetweenWindows_TabProc", "RtlDllShutdownInProgress", "T:E6m2A", "cPJ>:-*Gx`*>", "pv)[?", "AnimationType", "UnifiedListView_Cancelled_Perftrack", "%>D7-", "# O,;[J;'W ", "=/M;I", "/eokSSUQVL=E;9);", "FailFast", "vtl|e", "k0i0g", "EUPP_HPNavigationTriggerProtection_Perftrack", "CRIMh", "w2<", "wwwwwwwwwx", "#-de^'", "nsr@2zGGzcxm", "HistoryBrokerShutdown", "pnpnnnnnnn", "Browseui_HangUI_ScriptRecoveryTimeout", "[jejfbe", ",--SHGG", "H>O-jb*", "t|\\c$", "0020..9(", "TabRoaming_PLMSuspendWithOutstandingTimer", ",37AAA52+#", "Description", ".rdata$zETW1", "wwwwwwwwwwx", "ResolveDelayLoadedAPI", "TASK m", "TEMP ", "UJ_Pbp", "HistoryByDateSwitchView", "%,--A", "Hfff0", "Shdocvw_BaseBrowser_FireEvent_BeforeScriptExecute", "p`YT+(", "B!EYQ", "rqokzzz", "Search_ImageProcessing", " ", " N';]aa`[C4'W ", "\\/48718", "um/a~", "Find_FindHits_Perftrack", "~t7bbbb77777.7-...-R", "TabRoaming_FindRoamedMachines", "o\\$PH", "CurrentVisibleState", "3$zBPs", "UnifiedListView_Query_Feeds_Perftrack", "f?[I/f", "tr&2bvfd|||l", "D$0E3", "oD$ f", "zwwwp", "AddToHistory", "IdleManager_RemoveExpiredRunningTask", "Browseui_TabSuspension_Check_Suspendable", "PopulateOptions", "v#if#", "Browseui_Tabs_CloseOtherTabs", "@j[U0", "InputPanelShow", " ", " dK [", "IdleManager_TaskCount", "T$8H!|$8", "IDATk", "{ AVH", "History_Journal_Write_Command", "'t{N'", "kwE*PPB_", ";X;y'+", "Shdocvw_BaseBrowser_FireEvent_DownloadBegin", "OPCOT", "vN8@/", "\"VU6U", "\\__aac", "nShield TSS ESN:3605-05E0-D9471%0#", "\"F.+7/", "Window_Restored", "%ip=?GJG^=", "}6Ju[`|", "Browseui_Tabs_DropOnFavorites", "32;;=C", "000.,,9(", "Tab_ShellBrowser_OnBeforeUnload", "EmptyTab_Conversion_FinalNavigation_Failed", "}KK}}}}}}}}}}}}}}KKKKRKKKRKKKRKKKK", "UnifiedListView_MultipleCharacterQuery", "Z*imN", "DLM_DownloadBar_Close", "TabRoaming_ReadProcessInfo", "IMDownloadWindow_Hide_Perftrack", "t;fD99t5", "@.%'`", "O}IK}P98:[_^`w]\\Q}KK}", "`pp*E", "Rp$RCJ", " (?D=1", "t:LLLp", "6wi g\"", "|gl|ep", "favicon", "Shdocvw_BaseBrowser_Navigate", "as.,k{n?,", "LEVL@", "zzzqqiiPE", "1&lk66", "win:ResponseTime", "6L[}j", "DRSR9", "Tab_InitializeBrowserState", "rFl}\\", "sessionID", ".rsrc", "z4 $v", "cvListVersion", "h]|#e", "\"Microsoft Window", "7HGGD", "37>>7$ ", "V9fB0,", "'!! ", "ADVAPI32.dll", "GGHI3)", "OpenSemaphoreW", " ", "pnpnpnnnpn", "|Fb#c", "Count", "k/bzb", "P\"\"ivx", "Iso_Dependencies_RemoveDependency", "hjjnjL", "@TsR8", "RunningTaskCount", "A!pf*", " ", "Browseui_Tabs_Tearoff_NewWindow", " ", "LegacyHistoryAdd", "Shdocvw_BaseBrowser_FireEvent_BeforeNavigate", "#Dacc", "Menuband_PopulateShellFolderToolbar", "ox\\AS", "/[z`X[", "L97sGI", "MenuExpand", "\\$ UH", "003200;(", "IDLETASK_PRIORITY", "fA9Z*v#A", "GetLastError", "__setusermatherr", ">ZgS#", "D}GI}a\" !", "n+dOY", "Washington1", "<44GZ", "Shdocvw_BaseBrowser_FireEvent_Quit", "~~?>}", "tc@8=", "Object", "primarynav", "+@~=#", "Znv%)", "Browseui_Tabs_AddTabAPI", "0g^34QU", "XY[]Boqr", "*D1Y0", "DLM_Security_Hash", "Browseui_SelectTabTimerCreated", "exitCode", "ZYr(3", "DLM_DownloadWindow_Show", "InputPanelHide", "XWWWXXZ", "SetSearchPathMode", "D$HE3", "CFaviconHolder_UpdateReal", "[xo,!", "<71/48", "IMTravelLogMVC_Info", "Shdocvw_PanningTool_GetPanningProperties", "1YYYW1YY", "Z^:4x3s", "'Microsoft Windows Code Signing PCA 2024", "Frame_LinksBandCreate", "aUYd#", "Search_SuggestionsProcessing_Perftrack", " ", "TEMP<", "Microsoft Corporation1", "TabRoaming_SessionTimerFired", "8888888888", "CreateThumbnail_Superbar_Perftrack", "_wcmdln", ".gehcont", "1YYYYYYYYYYYYYYYYWWVV1", ".rdata$zETW0", "cs_a\\", "IntelliForms_Do_AutoStuff", "EventSetInformation", "(Hup+", "BrowserRoamedSettingChange_WinInet", "TEMPt", "^]O3+", "CHAN8", "IdleManager_RunExpiredIdleTask", "wBDrDC@M#", "2k!eD", "!9@9!", "wwwwwwx", "}lK4v", "#&WV9", "Microsoft-PerfTrack-IEFRAME", "4CEHH90", "t{{{{{tnjhSSE", "'#$! ", "lNO t", "}yD=+", "hwndPrev", "Eu0!P", "Addressbar_InlineAutocomplete", "ProductName", "Shdocvw_VirtualTab_GetWebOCWindow", "gG(L>^\"", "Disconnect", "8N)V@", "GetCurrentProcessId", "1YYYYVVVVVSVSTTSSSSSS1", "Browseui_Tabs_AddTabButton", "SetErrorMode", "xzxtpps", "}~~,vvw", "Internet Explorer", "Browseui_Tabs_MakeBlockingCallToTab", ".CRT$XLA", "n09%1", "7DDF)YYYY", "Frame_URLEntered", "CReadingModeContentProvider", "Command Type", " 8iG!", ".xdata", " \"?iV", "Microsoft Corporation1200", "pdvggp", "FavoritesSwitchView", "vQ];&", "tbmooookooknRRR/.-M", "pxvd|x", "y{{tnj", "(t$pI", ":Nq8|", "Tab_ShellBrowserOnCreate", "KKK8s", " ", "State", "Lcx'^", "xh.JW^", "HhA)ux", "Browseui_HangUI", "w?2wz7", "DeleteCriticalSection", "1Q_KP", "XWX_b\\_", ".data", "`ppPi", "TravelLogScreenshotNav_OldTab_WantsToCancelSwitch", "WilFailureNotifyWatchers", "InternalName", "Shdocvw_BaseBrowser_FireEvent_NewWindow2", "Msg:[%ws] ", "TabRoaming_DeleteInvalidOrExpiredTabFile", "g\"&#&6vl|v", "Message", "~_|}_", "ahA:0", "GetStartupInfoW", "ExtensionSetSite", "Y&&\"$*(88+)+BCVVVB64'''%!", "DD:n ", "msvcrt.dll", "GetProcessHeap", "1YYYY1OOOOOOOOOOOOOONONNNN1", "IEXPLORE.EXE", "ISO_HANDLE", "win:Informational", "EmptyTab_CreateNewTab", "EmptyTab_Reuse", "so=Qs", "GetCurrentProcess", "P(P~m", "EmptyTab_Timer_Cancel", "!!!!!!!", ".ENNNG.", "WaitForSingleObject", "G=/QVD", ".idata$2", "z~qB 2", "OnCloseButton", "F> \"#", "Nj)+g", "ddFtQ", "wr]x\"", "DownloadWindow", "Z`*@#", "_amsg_exit", "FileName", "Browseui_TabWindow_CommitRoamingState_Perftrack", "]4kSTTLKK+-", "jjk,eef", "2|md'", "onecoreuap\\inetcore\\lib\\tracelogging\\legacydll.cpp", "P`!AX", "0DMU\\]]]]\\QNH", "[[f4h6PRTKIL:;&", "?fMz?k", "Redmond1", "250814184817Z", "EmptyTab_Conversion_Begin", "TabRoaming_FindRoamedTabs", "_ppppppppppppppppaRM", "IsActive", "CREDAT:", "Tab_Fast_Shutdown_Perftrack", "vll|h", "Tlg$F", "f9H\\u", "CreateHTMLPreview_Perftrack", "(++++++", "u!Ug4X}", "wO]~!", "TEMP0", "CloseFrame", "cF_l:", "ZdpnkSTTVQL<X", "_cexit", "TEMP,", "Browseui_HangUI_DisparentAndDetachBrowserTab", "IQRRMS", "Find_MatchAndHighlightHits", "CAsyncStorage_WorkPending", "VVVUN@@", "UnifiedListView_SwitchMode", "}At;\"", "f94Ku", "GenerateThumbnail", "f9,Vu", "Microsoft-IEFRAME/Diagnostic", "Browseui_CBrowserFrame_OnClose", "qH/uF", "^^^\\PF", "Browseui_SelectTabTimerCancelled", "E}#,&", "_a_a_a_a_a_a_a___[N", "iswspace", "LeftButtonAction", "1Igjzu", "*km?o", "G \">3", "QSA_PopulateTile_Perftrack", "ComponentType", "OL8GW", "Microsoft-PerfTrack-IEFRAME/Diagnostic", " ", "EDPPERMISSIVEAPPINFOID", "TabSwitch", " ", "Shdocvw_BaseBrowser_FireEvent_DocumentComplete", "ppnppnppnp", "ReleaseSemaphore", "350623220401Z0_1", "Browseui_Tabs_TabReadyForNavigate", "U0S0Q", "SetUserObjectInformationW", "vYZ^D", "R_as/%%! ", "2wC*y", "NewTabPageData_RoamedEntry", "roaming", ".rdata$T$brc", "-ResetDestinationList", "210930182225Z", "FailureReason", " N';aaa][LEC1'T ", "HistoryByMostVisSwitchView", "Tab_NavigateToPidl", "fC|_t@;1", "|k&SZ", "Status", "F25*-", "FU*l?`", "AttachToTID", "PrerenderURL", "Browseui_BringBrowserTabAlternateOwnerForward_Hung", "P2}_nA", "Shdocvw_VirtualTab_NavigateThreadProc_NavigateEx2Call", "I?VX^m3)", "$eO&iK", "WWWXXZ\\", "UseWER", "IMTravelLogMVC_StateChange", "@:@:::@@@9M", "Immersive_Travellog_Perftrack", "M[p_=", "X1`=8", "2[[AP", "TravelLogScreenshotNav_OldTab_CannotCancelSwitch", "%!NPj{{{{{{{{td/", "DominantImageUrl4", "GJNSsmh", "CloseTab", "Shdocvw_VirtualTab_NavigateDeferredNewTab", "L)40A", "7s377", "f\\Us':AP", "b[P,kG", "TabRoaming_LoadRoamedMachine", "hwndAlternateOwner", ">(B}=(-}=(o|<(", "TaskID", "Search_SuggestionsDownload", "h)u{%", "GetCommandLineW", " processorArchitecture=\"amd64\"", "l>(UuSI", "TASKl ", "LocalAlloc", "Tab_Terminate_Process", "Browseui_Tabs_Tearoff_Complete_TabProc", "8Y(9k", "h`2[C", "?Kvc9", "]GLTQ}", "IsTabSwitch", "\\j.~C", ".giats", "$DkynC&", "UnifiedListView_Displayed_Perftrack", ">C|i+", "ReleaseMutex", "MaxWaitingTime", "Microsoft.InternetExplorer.Preview", "FindWindowExW", "e%", "appppppppppppppppjRXL", "n@?Ju5!", "-:2JJW", "msIso.dll", "230865+5045810", "Sq]}#", "Shdocvw_VirtualTab_NavigateInWebBrowser", "t{{{yytttQ2", "3.2...((((%", "Result", ";r\"?@p", "win:Verbose", "iexplore", "EmptyTab_Closing", "RtlCaptureContext", "$JA 3*b", "wwwwwwwwx", "Frame_NavBarCreate", "JournalEncryption_Init_Perftrack", "Tab_Recover_Complete", "wfV~td", "o<5I'", "RL--I", "NotificationBar_Animate", "oT$@f", " ", ".idata$6", "BoolVal", "Frame_LoadFrameState", "M2fB4", " ", "*6zN*", "'GG9G'", "/y&6N51", "ActivityType", "fD9", "ImageDimX", "EmptyTab_Reuse_ReinitializeBrowserTab_Begin", "&]D =", "kernel32.dll", "99999", "9[HPr", ".)3?664'''''0&//3", "KqLa*", "]w,J<", "PRVA8", "", "_pppppppppppppppppONNNNR", ")DNTp", "ppN!f", "e05?D", "\\$ VWAVH", "IMTravelLogMVC_NavigationReceived", "Imaging_CreateWebPagePreview_Perftrack", "DOW^^", "", "PRVAL", "@.data", " A_A^A]A\\_", "A@>>7%", "20260321050310Z", "0c0904E4", "bTT@7", "TTBL0", "CoCreateGuid", "ImageLastRetrievedTime", "IEShortLivedProcess", "Microsoft Time-Stamp PCA 20100", "_unlock", "3P_ptxP", "C71/48", "Local\\SM0:%lu:%lu:%hs", "DLM_Resume_Time", "@.didat", "isDebuggerPresent", "`,\"\\q", "Browseui_CIMBrowserFrame_CreateInstance_Perftrack", "&_\\~e", "1YYYVVVSVSVTRNNNTTSSS1", "\\q=AP\\", "CHAN\\", "Shdocvw_BaseBrowser_FireEvent_NewWindow3", "DownloadWindow_Item_Added", "nonPerfTrack", "Z2`_Ot ", "OPCOx", "HistoryJournal", "FormatMessageW", "Mj&@:_", "fpxdQ", "wa*,a", "cQL:-$%%", "HcQ=[", "Bing_Suggestions_CancelRequest", "-eval", "jscript", "0a?_n", "1YYYYYYYYYYYYYYYYYWVW1", "211111YY", "Browseui_Tabs_CloseTab", "SP>05", "yyz,rss", "V9^=2(", "oKPW@", "Frame_TravelBandCreate", "ZaZ|W", "UnifiedListView_Dropdown_Perftrack", "_*%GSSehhZ??>>?B>", "qjj?[", "OnlineHistoryCollectData", "%s!FK", ">http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0", "Qco0+", "%F0[U", "TabVisibleIndex", "saPz?i", "IdleTask_Execution_Time", "|$ UH", "EnumHistoryRecords", " ", ":20/48", "Shdocvw_VirtualTab_NavigateThreadProc", "[0>:!", " ", "x>CCA@9G+J", "^^]PD", "Microsoft.InternetExplorer.Default", "*1ATA", "L$0H3", "Microsoft Time-Stamp PCA 2010", "zB=_h", "Snippet_BOLLExtraction_Perftrack", "UnifiedListView_Query_DomainSuggestion_Perftrack", "$0daK", "Find_DeactivateBar", ";~zQ{", "Shdocvw_VirtualTab_NavigateTabManager", "3....+))+", "+++++++***", "7wwwwp", "TabCreate", "", "4wNOu{", "lHT[G", ".rdata", "-agggeD[0", ";BDDNRRGE;", "x\"nc(", "zsttcUPC", "[%hs(%hs)]", "+#_g^#", "}g#;~", "qYFnrm", "di033", "Browseui_CBrowserFrame_Close", "__dllonexit", "| #", "SharedMemoryHandle", "VRNNNTTTTS1", "H.ZAf", "NewTabPage_SearchLogo_Show", "[http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Code%20Signing%20PCA%202024.crt0", "(-=qL", "1(0&0", "VS_VERSION_INFO", "$Microsoft Ireland Operations Limited1'0%", "HeapSetInformation", "..(((($$ ", "c0a0_", "ox2mC", "EventWriteTransfer", " ", "Window_Resized", "OnlineHistoryClear", "Snippet_UserSelExtraction_Perftrack", "s AWH", "Cookie", "fef|yxz", "11.00.26100.8115", "+DKKKF-#", ".idata$4", "lRwSjH4_?", "@MMHMIMMM@H9E", "Frame_AddressBandCreate", ":MIMMMMIMB9E", "O0M0K", "1NWWX", "Z5&s&7", "???n*+*+", "", "x AVH", "LaunchFrame", "Browseui_Tabs_BrowserTabRespondsNow_TabHung", "EmptyTab_Conversion_CleanupRecoveryData_Begin", "m\"Nc=`", "CreateMutexExW", " P,;;%W ", "-Bass", "Immersive_Travellog_ScrollComplete_TimeOut", "WinMain", "vV~wg", ")i3&Wr", "LAWac", "ScaleThumbnail", "J?EZ#", "2F@\"(", "AllowRecovery", "1|ne$", "GetCurrentThreadId", "H[a_^]NMLKKJF", "HeapAlloc", "defunct", "GRRRRR", "DLM_Security_WVT", "(>?q=zGGzbo", "}=)G}=(", ".didat$2", "DebugBreak", "_onexit", ".rdata$zETW9", "OgyBI", "*Og{U", "5LDT", "URXF;", "fogrp", "61(!P", "Find_MatchAndHighlightHits_Perftrack", "3http://www.microsoft.com/pkiops/Docs/Repository.htm0", "}F9;7", "HistoryBySiteSwitchView", "p pt@", "3w2!_a|", "NotificationBar_Show", "]sU&Q", "n{{{{{yyyyn[", " 55323222...", "IMTravelLogMVC_ScreenShotInfo", "H\"vo9", "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iexplore.exe", "TotalNumber", ".data$brc", " level=\"asInvoker\"", "y).=I", "TabSwitch_NotAccountingForInputDelay", "Device_Info_Util", "LegacyHistoryEnum", "FileDescription", "NotificationBar_Flash", "*B 8W]", "WEVT_TEMPLATE", "gn|vlpl~nw", "TravelLogScreenshotNav_OldTab_ReadyToClose", "W*,[5H", "x;O?rha", "R2j:S\\", "Recovery_WriteInitialStore", "Frame_MinIETabBandCreate", "W]3yl", "OldTID", "FavoritesBar_PopulateFeedsMenu", ":8887 g_", "DataModel_QueryEntry", "@~!>7", "Browseui_TabWindow_SetVisible", "}^[t{", "WWV6&(", ":MMMMMJMMMCC9", "J-\"0'''''030433H", "Uoh_z", "1.=7C", "DelayLoadFailureHook", "halfTabCount", "ExtensionSetSiteNull", "Tppnpnnnpnn", "C#v2H", "EUPP_DoAsyncOperation_Perftrack", "rCstG", "GetSystemTimeAsFileTime", "GetHalfTabData", "D$$I;", "WVV'*", "dptf@", "e'>EQ1", "-nowait", " type=\"win32\"/>", "NewTabPage_Show", "UnhandledExceptionFilter", " *#k*~#", "a.ry.v", "6hynd", "Search_ImageProcessing_Perftrack", "dW9/+=", "=^rN", ";7ww8", "DLM_DownloadBar_Show", "t!D8=\"q", "Imaging_CreateWebPagePreview", "W%:Z%", "244444444444444444444442", "]7lF8", "xnk^z", "[[[S+", "+???NNX", "I?(((()(((", "ULV_AggregateItems_Perftrack", "BarText", "", ">~?7J", "Application-Addon-Event-Provider", "CIMNavBar_Show_Perftrack", "NewTID", "HistoryByOrderSwitchView", " ", "WaitForSingleObjectEx", ";{{{{{{0", "l.igM4", "EmptyTab_Conversion_Succeeded", "notification", "CIMFindBar_Show_Perftrack", "PinnedSites_OfferedImage", "CIMFindBar_Hide_Perftrack", "TabRoaming_TabMarkedDirty", "IdleManager_RunNextIdleTask", "MenuItemPop", "InputPanelResize", "Index", "(7A@@>'", "9OSJD-", "@@@@@@@@@@@@@", "K51ddd", "RtlLookupFunctionEntry", "_lock", ":'IR&", "U J Qn^", "VVVVVTTTSS1", "BrowserRoamedSettingChange_FlipAhead", "MICROSOFTEDPENLIGHTENEDAPPINFO", "z00'#|D", "TravelLogScreenshotNav_NewTab_GetReadyToSwitch", "Browseui_ActivationRegistrar_CreateComponent", " ", ".i5Sz", "GetTickCount", "alv?6", "EYe09", "Shdocvw_Feed_Search", "Y[ONN", "LCIE_ForeignProcessMessageQueueDequeueAll", "r+K+}q", "_PPUUUcs", "__wgetmainargs", ",2HSK ", "mnn,hhi", "Publisher", "1Dcq?", "qc^^ih]i", "verbose", "EventData", "CtrlLeftButtonAction", "Locale", "_PLG:**:", "Browseui_Tabs_Tearoff_ShowVisual", "Nhttp://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l", "YZT%]j", "LegacyHistoryQuery", "x ATAVAWH", "B\"-*9", ")@@>-", "ZWWYVPPPMMMN[o", "TravelLogScreenshotNav_NewTab_ShowingScreenshotBeforeSwitch", " 33.2....(,'", "ptytytnc", "BrowserThreadProc_Return", "@.reloc", "kdSEI", "npnnnnnnnn", "Browseui_Tabs_Tearoff_NewWindow_TabProc", "iertutil.dll", "VB$h&", "333333", "@A_A^A]A\\_^]", "1YYYY1YY7LKIHEB=WVVVVW-'VV1", "SHTN^", "v#>Ey", "IdleManager_RemoveTask", ";IIG:", ".text$mn$00", "Shdocvw_BaseBrowser_FireEvent_NavigateError", "28Hsv", "Nm\\\"l):", "!U@d5cZ", "fD9$Nu", "(_(1=", "wwwwwwwx", ">4F7C)", "Shdocvw_BaseBrowser_FireEvent_DownloadComplete", "1$`_@", "3...((((% ", "imagestore", "R$fA;Z*", ")ag^#", "!1$D", "3s337p", "ExtensionShowDW", "njejnnp", "WWCV6''#odd", "yiO", "I-[VO", "*9988777777", ".text$yd", "-``[GGC[", "HungWindowText", "Tab_BFCache_Suspend", "'xS[mG~", "wwwwwwwwwwwwwwwx", "Snippet_Aggregate_Perftrack", "33p3337330", "[D2PI", "Exception", "IsHung", "NotificationBar_Update", "XT51>", "`bbi}", "NotificationManager_SendResponse", "win:Info", ".4ON@", "Fy_Bc=", "TabId", "_aaelm" ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "selfextract": { "overlay": { "extracted_files": [ { "name": "1726cc74af856711b3f8fa868a8dfc20f20478285b5931d798977d186b3149e4", "path": "/opt/CAPEv2/storage/analyses/52/selfextracted/1726cc74af856711b3f8fa868a8dfc20f20478285b5931d798977d186b3149e4", "guest_paths": [ "overlay" ], "size": 10696, "crc32": "DCAF0826", "md5": "555813b9c3e1a16ad64591261a986460", "sha1": "047cd23ab9a3d67468a6b490c4984c8e3eebc96d", "sha256": "1726cc74af856711b3f8fa868a8dfc20f20478285b5931d798977d186b3149e4", "sha512": "b0fbc874298cd3392821ff1bf49130698424ee090c7a1016e74cebd8d6430aa2f748d49a7a5f547be95b5fc0b73daa8321f911acf2c7eded640e32415059f011", "rh_hash": null, "ssdeep": "192:ugca8LxydkeR+ImIvXbV46X01k9z3ADUU5o3E+l:ugcaGALZvXFR9zcS3Z", "type": "data", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T121224CE68B7CD042DE8AAD506398E9533C3C93CB2D80989222E9F9541CE37D9D70447F", "sha3_384": "277663ca23ed7be821f9313b82af8772ec0602345b5d38d6c68913c35972532fd689d1c22ab60b24314578bbb68dfa80", "data": null } ], "extracted_files_time": 0.001274189000014303, "password": "" } }, "cape_type_code": 0, "cape_type": "" } }, "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-06-29 10:43:20", "ended": "2026-06-29 10:44:09", "duration": 49, "id": 52, "category": "file", "custom": "", "machine": { "id": 52, "status": "stopping", "name": "win10", "label": "win10", "platform": "windows", "manager": "KVM", "started_on": "2026-06-29 10:43:20", "shutdown_on": "2026-06-29 10:44:09" }, "package": "exe", "timeout": true, "tlp": null, "parent_sample": null, "options": { "vnc_port": "5900" }, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "394455c2cd85889fb0782bfcf1f8c5c2f7f77b46" }, "behavior": { "processes": [ { "process_id": 4444, "process_name": "iexplore.exe", "parent_id": 2892, "module_path": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe", "first_seen": "2026-06-28 21:56:12,870", "calls": [ { "timestamp": "2026-06-28 21:56:13,073", "thread_id": "3412", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff99f6a2dbc", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-28 21:56:13,073", "thread_id": "3412", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99f6a2de3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlIsMultiSessionSku" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa30200" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-28 21:56:13,073", "thread_id": "3412", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99f6a2de3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\iertutil" }, { "name": "BaseAddress", "value": "0x7ff99f680000" }, { "name": "InitRoutine", "value": "0x7ff99f6b71b0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-28 21:56:13,073", "thread_id": "3412", "caller": "0x7ff9aaac3db3", "parentcaller": "0x7ff9aaa64cdb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000000c" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-28 21:56:13,073", "thread_id": "3412", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-28 21:56:13,073", "thread_id": "3412", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff7c1931cb0" }, { "name": "Parameter", "value": "0x47cd0e7000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-28 21:56:13,089", "thread_id": "3180", "caller": "0x7ff9aaa4ea52", "parentcaller": "0x7ff9aaa077c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000040" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-28 21:56:13,089", "thread_id": "2476", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-28 21:56:13,089", "thread_id": "2476", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62a40" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-28 21:56:13,089", "thread_id": "4424", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-28 21:56:13,089", "thread_id": "4424", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a63070" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-28 21:56:13,089", "thread_id": "3180", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-28 21:56:13,089", "thread_id": "3180", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62e50" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c1931df1", "parentcaller": "0x7ff7c1931b0a", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff7c1931da0" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c1931a1e", "parentcaller": "0x7ff7c1931b4f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6007000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c1931583", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f915000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c1931583", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f915000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3412" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000218" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-28 21:56:13,104", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000204" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\xf9\\x9a\\x84\\x82z\\xe0[\\xfaF\\x15^\\xb5l\\xd8\\xbd\\x91\\xcb\\x01`\\x04\\xdbF\\x03\r\\xb7\\x1a-\\x13\\x02\\x8fOqjwSc\\xcc\\x97\t\\xed\\xd2p\\x13\\x9c\\xfa\\xf8\\x12\\xf7" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315a2", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "msIso.dll" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msIso.dll" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\msIso.dll" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msIso.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000208" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000210" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msIso.dll" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000208" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00054000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3f0000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3dc000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3dc000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3dc000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3dc000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3db000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3db000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\n\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8~\\xbc\\xa9\\xf9\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xba\\xa9\\xf9\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00I\\x003\\x002\\x00\\x02\\x00\\x00\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msIso" }, { "name": "DllBase", "value": "0x7ff99e3a0000" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3f0000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3f0000" }, { "name": "ModuleName", "value": "msIso.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c7ad0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 67 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c7ae0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 71 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 74 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlIsMultiSessionSku" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa30200" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msIso" }, { "name": "BaseAddress", "value": "0x7ff99e3a0000" }, { "name": "InitRoutine", "value": "0x7ff99e3a3650" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff7c193c000" }, { "name": "ModuleName", "value": "iexplore.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c19323e0", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff7c193c000" }, { "name": "ModuleName", "value": "iexplore.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c19315e3", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 83 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000023c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000023c" }, { "name": "ValueName", "value": "Security_HKLM_only" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000240" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1934178", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000240" }, { "name": "SubKey", "value": "FEATURE_ENABLESAFESEARCHPATH_KB963027" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLESAFESEARCHPATH_KB963027" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1933377", "parentcaller": "0x7ff7c1931636", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x1f1c60522d8", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe\" " } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c193547c", "parentcaller": "0x7ff7c1933248", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000240" }, { "name": "SubKey", "value": "FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ff9686a00b9" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4444" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000244" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000248" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000244" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000248" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a603f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "InitRoutine", "value": "0x7ff9a6033f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f915000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f915000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000244" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\x80\\x07\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00P\\x00E\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4444" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000244" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf9\\xf6\\xccG\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\xae\\x90\\x9f\\xf9\\x7f\\x00\\x00t0j\\x9f\\xf9\\x7f\\x00\\x00D\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "47" }, { "name": "TotalPhysicalMB", "value": "4096" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows\\system32" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-28 21:56:13,120", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "35" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000208" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "FrameTabWindow" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000230" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "FrameTabWindow" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "FrameMerging" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "FrameMerging" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "SessionMerging" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "SessionMerging" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "AdminTabProcs" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "AdminTabProcs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000244" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x86\\x07\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00 [3]\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000244" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "Handle", "value": "0x00000244" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000244" }, { "name": "ValueName", "value": "RunBinaryControlHostProcessInSeparateAppContainer" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "Handle", "value": "0x00000248" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "ValueName", "value": "RunBinaryControlHostProcessInSeparateAppContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa760000", "arguments": [ { "name": "lpLibFileName", "value": "user32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "IsImmersiveProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa789a30" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies" }, { "name": "Handle", "value": "0x0000024c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies" }, { "name": "Handle", "value": "0x00000250" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software" }, { "name": "Handle", "value": "0x00000254" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software" }, { "name": "Handle", "value": "0x00000258" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software" }, { "name": "Handle", "value": "0x0000025c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000a4" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa3d0000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3da190" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3efe60" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000260" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c9d90000" }, { "name": "SectionOffset", "value": "0x47ccf6ef00" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer" }, { "name": "Handle", "value": "0x00000264" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000264" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "1" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000024c" }, { "name": "SubKey", "value": "Microsoft\\Internet Explorer\\Low Rights" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Low Rights" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000254" }, { "name": "SubKey", "value": "Microsoft\\Internet Explorer\\Low Rights" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000258" }, { "name": "SubKey", "value": "Microsoft\\Internet Explorer\\Low Rights" }, { "name": "Handle", "value": "0x00000264" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000264" }, { "name": "ValueName", "value": "ProtectedModeOffForAllZones" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights\\ProtectedModeOffForAllZones" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" }, { "name": "Handle", "value": "0x00000264" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" }, { "name": "ValueName", "value": "EnableLUA" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000264" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10\\x83\\x07\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00U\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1931661", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "IEFRAME.dll" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\IEFRAME.dll" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ieframe.dll" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ieframe.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ieframe.dll" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff986d30000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00757000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987463000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987347000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987347000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987347000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987347000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987344000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00004000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "NETAPI32.dll" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "VERSION.dll" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "USERENV.dll" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WINHTTP.dll" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\NETAPI32.dll" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\netapi32.dll" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netapi32.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-28 21:56:13,135", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netapi32.dll" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e260000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00018000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e275000" }, { "name": "ModuleName", "value": "NETAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e26c000" }, { "name": "ModuleName", "value": "NETAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e26c000" }, { "name": "ModuleName", "value": "NETAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e26c000" }, { "name": "ModuleName", "value": "NETAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e26c000" }, { "name": "ModuleName", "value": "NETAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e26c000" }, { "name": "ModuleName", "value": "NETAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\VERSION.dll" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\version.dll" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\version.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Windows\\System32\\version.dll" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3240000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3244000" }, { "name": "ModuleName", "value": "VERSION.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3244000" }, { "name": "ModuleName", "value": "VERSION.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3244000" }, { "name": "ModuleName", "value": "VERSION.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3244000" }, { "name": "ModuleName", "value": "VERSION.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3244000" }, { "name": "ModuleName", "value": "VERSION.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\USERENV.dll" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\userenv.dll" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\userenv.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Windows\\System32\\userenv.dll" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f80000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0002e000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7fa9000" }, { "name": "ModuleName", "value": "USERENV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f9d000" }, { "name": "ModuleName", "value": "USERENV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f9d000" }, { "name": "ModuleName", "value": "USERENV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f9d000" }, { "name": "ModuleName", "value": "USERENV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f9d000" }, { "name": "ModuleName", "value": "USERENV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f9c000" }, { "name": "ModuleName", "value": "USERENV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\WINHTTP.dll" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winhttp.dll" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1c10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00108000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1d0f000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1ce4000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1ce4000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1ce4000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1ce4000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1ce4000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e26c000" }, { "name": "ModuleName", "value": "NETAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3244000" }, { "name": "ModuleName", "value": "VERSION.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f9c000" }, { "name": "ModuleName", "value": "USERENV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WKSCLI.DLL" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a1ce4000" }, { "name": "ModuleName", "value": "WINHTTP.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\WKSCLI.DLL" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wkscli.dll" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wkscli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wkscli.dll" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7290000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00017000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a72a4000" }, { "name": "ModuleName", "value": "WKSCLI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a729d000" }, { "name": "ModuleName", "value": "WKSCLI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a729d000" }, { "name": "ModuleName", "value": "WKSCLI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a729d000" }, { "name": "ModuleName", "value": "WKSCLI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a729d000" }, { "name": "ModuleName", "value": "WKSCLI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a729d000" }, { "name": "ModuleName", "value": "WKSCLI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "NETUTILS.DLL" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a729d000" }, { "name": "ModuleName", "value": "WKSCLI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\NETUTILS.DLL" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "NETUTILS.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "NETUTILS.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "NETUTILS.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "NETUTILS.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "NETUTILS.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987344000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00004000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "NETUTILS.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-28 21:56:13,151", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NETAPI32" }, { "name": "DllBase", "value": "0x7ff99e260000" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-28 21:56:13,167", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\VERSION" }, { "name": "DllBase", "value": "0x7ff9a3240000" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-28 21:56:13,167", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 296 }, { "timestamp": "2026-06-28 21:56:13,167", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\USERENV" }, { "name": "DllBase", "value": "0x7ff9a7f80000" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-28 21:56:13,167", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WINHTTP" }, { "name": "DllBase", "value": "0x7ff9a1c10000" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-28 21:56:13,167", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 9, "id": 299 }, { "timestamp": "2026-06-28 21:56:13,167", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WKSCLI" }, { "name": "DllBase", "value": "0x7ff9a7290000" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-28 21:56:13,167", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NETUTILS" }, { "name": "DllBase", "value": "0x7ff9a75f0000" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\IEFRAME" }, { "name": "DllBase", "value": "0x7ff986d30000" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\netapi32" }, { "name": "BaseAddress", "value": "0x7ff99e260000" }, { "name": "InitRoutine", "value": "0x7ff99e261360" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\version" }, { "name": "BaseAddress", "value": "0x7ff9a3240000" }, { "name": "InitRoutine", "value": "0x7ff9a3241390" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\userenv" }, { "name": "BaseAddress", "value": "0x7ff9a7f80000" }, { "name": "InitRoutine", "value": "0x7ff9a7f84f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\winhttp" }, { "name": "BaseAddress", "value": "0x7ff9a1c10000" }, { "name": "InitRoutine", "value": "0x7ff9a1c5d250" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wkscli" }, { "name": "BaseAddress", "value": "0x7ff9a7290000" }, { "name": "InitRoutine", "value": "0x7ff9a7291d60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\netutils" }, { "name": "BaseAddress", "value": "0x7ff9a75f0000" }, { "name": "InitRoutine", "value": "0x7ff9a75f1ce0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000294" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-28 21:56:13,182", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000294" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000294" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ieframe.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6087000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32" }, { "name": "DllBase", "value": "0x7ff994050000" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff994050000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "comctl32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "InitCommonControlsEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940d5550" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa332000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa332000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\ieframe" }, { "name": "BaseAddress", "value": "0x7ff986d30000" }, { "name": "InitRoutine", "value": "0x7ff986e52280" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff7c193c000" }, { "name": "ModuleName", "value": "iexplore.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c1935b82", "parentcaller": "0x7ff7c193231f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff7c193c000" }, { "name": "ModuleName", "value": "iexplore.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "OperationalData" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "OperationalData" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-28 21:56:13,198", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegSetValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "OperationalData" }, { "name": "Type", "value": "11" }, { "name": "Buffer", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "BufferLength", "value": "8" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x0000029c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegDeleteValueW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000029c" }, { "name": "ValueName", "value": "Isolation" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "Isolation" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "Isolation" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "Isolation64Bit" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "Isolation64Bit" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x000002a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "AppV" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AppV" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\WMITelemetry" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\WMITelemetry" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\WMITelemetry" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\WMITelemetry" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\WMITelemetry" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\WMITelemetry" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\WMITelemetry" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\WMITelemetry" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\WMITelemetry" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\WMITelemetry" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\WMITelemetry" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\WMITelemetry" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "HangRecovery" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "HangRecovery" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Safety\\PrivacIE" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x49006300610076" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6088000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a5b50000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a5b50000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a5b57ce0" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe6\\xf6\\xccG\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002b4" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-28 21:56:13,214", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987463000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-downlevel-ole32-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a96b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-downlevel-ole32-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoGetPSClsid" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a978b000" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987463000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c608e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c608f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6090000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x000002c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002c0" }, { "name": "ValueName", "value": "RaiseActivationAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002c0" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xe9\\xf6\\xccG\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff0\\xea\\xf6\\xccG\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "AppID\\iexplore.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\iexplore.exe" } ], "repeated": 1, "id": 406 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x000002c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002c0" }, { "name": "ValueName", "value": "RaiseDefaultAuthnLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000002c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002c0" }, { "name": "ValueName", "value": "DefaultAccessPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002c8" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\x83\\x07\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00002100" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xef\\xf6\\xccG\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x01F\\xa8\\xf9\\x7f\\x00\\x00\\x938o-\\xad\\xd3\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x0000115c" }, { "name": "EventName", "value": "MSFT.VSA.COM.DISABLE.4444" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.IEC.STATUS.6c736db0" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6093000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x000002d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000002d6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Rpc\\Extensions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d0" }, { "name": "ValueName", "value": "NdrOleExtDLL" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "combase.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "NdrOleInitializeExtension" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97850f0" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9747c50" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96dc030" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002d0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002d4" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h\\xf4\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00L\\x00S\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "0\\xf5\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\xadU?\\xac\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xf8\\x83\\x07\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8#\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00S\\x0fo-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00@\\xe6\\xf6\\xccG\\x00\\x00\\x008\\xe6\\xf6\\xccG\\x00\\x00\\x00\\x08\\xe6\\xf6\\xccG\\x00\\x00\\x00(\\xe6\\xf6\\xcc" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0#\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00(\\xe4\\xf6\\xccG\\x00\\x00\\x00\\xd4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\xf5\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xf7\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00t\\x00y\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00s\\x00o\\x00n\\x00a\\x00t\\x00i\\x00o\\x00n\\x00 \\x00D\\x00y\\x00n\\x00a\\x00m\\x00i\\x00c\\x00 \\x00F\\x00a\\x00l\\x00s\\x00e\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x84\\x07\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "h#\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xb3\\x08o-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xa0\\xe2\\xf6\\xccG\\x00\\x00\\x00\\x98\\xe2\\xf6\\xccG\\x00\\x00\\x00h\\xe2\\xf6\\xccG\\x00\\x00\\x00\\x88\\xe2\\xf6\\xcc" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`#\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xe0\\xf6\\xccG\\x00\\x00\\x00\\xd4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6095000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1f1c607f800" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "4416" }, { "name": "ProcessId", "value": "4444" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002d8", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1f1c607f800" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4416" }, { "name": "ProcessId", "value": "4444" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002d8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002e0" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\xe9\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xf1\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\xadU?\\xac\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00n\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "X\\x84\\x07\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8!\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x033o-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x10\\xea\\xf6\\xccG\\x00\\x00\\x00\\x08\\xea\\xf6\\xccG\\x00\\x00\\x00\\xd8\\xe9\\xf6\\xccG\\x00\\x00\\x00\\xf8\\xe9\\xf6\\xcc" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000!\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xe7\\xf6\\xccG\\x00\\x00\\x00\\xe0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "(\\xf5\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90\\xf5\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00U\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00a\\x00j\\x00e\\x00s\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8\\xa5\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xa8!\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00c\\x0fo-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00p\\xe6\\xf6\\xccG\\x00\\x00\\x00h\\xe6\\xf6\\xccG\\x00\\x00\\x008\\xe6\\xf6\\xccG\\x00\\x00\\x00X\\xe6\\xf6\\xcc" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0!\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xe4\\xf6\\xccG\\x00\\x00\\x00\\xe0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002e0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002d8" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "(\\xf5\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xf1\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\xadU?\\xac\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00n\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x84\\x07\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8$\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x033o-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x10\\xea\\xf6\\xccG\\x00\\x00\\x00\\x08\\xea\\xf6\\xccG\\x00\\x00\\x00\\xd8\\xe9\\xf6\\xccG\\x00\\x00\\x00\\xf8\\xe9\\xf6\\xcc" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0$\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xe7\\xf6\\xccG\\x00\\x00\\x00\\xd8\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\xe9\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90\\xf5\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00U\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00a\\x00j\\x00e\\x00s\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "X\\x84\\x07\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98%\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00c\\x0fo-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00p\\xe6\\xf6\\xccG\\x00\\x00\\x00h\\xe6\\xf6\\xccG\\x00\\x00\\x008\\xe6\\xf6\\xccG\\x00\\x00\\x00X\\xe6\\xf6\\xcc" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90%\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xe4\\xf6\\xccG\\x00\\x00\\x00\\xd8\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002d8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002e0" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "4416", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h\\xf1\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00n\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90\\xf8\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8\\xa5\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "x&\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x033o-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x10\\xea\\xf6\\xccG\\x00\\x00\\x00\\x08\\xea\\xf6\\xccG\\x00\\x00\\x00\\xd8\\xe9\\xf6\\xccG\\x00\\x00\\x00\\xf8\\xe9\\xf6\\xcc" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p&\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xe7\\xf6\\xccG\\x00\\x00\\x00\\xe0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h\\xf7\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0\\xf7\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00U\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00a\\x00j\\x00e\\x00s\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\x00\\x00\\x00\\x004] A" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8k\t\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8!\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00c\\x0fo-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00p\\xe6\\xf6\\xccG\\x00\\x00\\x00h\\xe6\\xf6\\xccG\\x00\\x00\\x008\\xe6\\xf6\\xccG\\x00\\x00\\x00X\\xe6\\xf6\\xcc" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000!\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xe4\\xf6\\xccG\\x00\\x00\\x00\\xe0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6097000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-28 21:56:13,229", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002e0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002d8" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\xf5\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xf1\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00n\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x84\\x07\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8$\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x033o-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x10\\xea\\xf6\\xccG\\x00\\x00\\x00\\x08\\xea\\xf6\\xccG\\x00\\x00\\x00\\xd8\\xe9\\xf6\\xccG\\x00\\x00\\x00\\xf8\\xe9\\xf6\\xcc" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0$\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xe7\\xf6\\xccG\\x00\\x00\\x00\\xd8\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "VF\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H\\xf6\\x06\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\xf7\\x06\\xc6\\xf1\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\x00\\x00\\x00\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "Xj\t\\xc6\\xf1\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "x&\\x08\\xc6\\xf1\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00c\\x0fo-\\xad\\xd3\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00p\\xe6\\xf6\\xccG\\x00\\x00\\x00h\\xe6\\xf6\\xccG\\x00\\x00\\x008\\xe6\\xf6\\xccG\\x00\\x00\\x00X\\xe6\\xf6\\xcc" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p&\\x08\\xc6\\xf1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xe4\\xf6\\xccG\\x00\\x00\\x00\\xd8\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6098000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3240", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3240", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x1f1c6050b50" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3240", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3240", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c609a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002c6" }, { "name": "SubKey", "value": "Interface\\{F686878F-7B42-4CC4-96FB-F4F3B6E3D24D}" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{F686878F-7B42-4CC4-96FB-F4F3B6E3D24D}" } ], "repeated": 1, "id": 577 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CLSIDFromOle1Class" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97680a0" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002f0" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf0\\xf6\\xccG\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff \\xf1\\xf6\\xccG\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" }, { "name": "MutexName", "value": "Local\\SM0:4444:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000304" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000304" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c7b10000" }, { "name": "SectionOffset", "value": "0x47ccf6f160" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "ValueName", "value": "Com+Enabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000040" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 595 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000308" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "clbcatq.dll" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000308" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a96a4000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "4736", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "4736", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x1f1c6050b50" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c6008000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030c" }, { "name": "EventName", "value": "\\KernelObjects\\MaximumCommitCondition" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\clbcatq" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "InitRoutine", "value": "0x7ff9a961d990" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Classes\\PackagedCom" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987463000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUninitialize" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970c0e0" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987463000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "4736", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000310" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "4736", "caller": "0x7ff9a9c3c877", "parentcaller": "0x7ff9a9c3c7d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "4736", "caller": "0x7ff9a9c1dde1", "parentcaller": "0x7ff9a9c1dd54", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c7b10000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000208" }, { "name": "ValueName", "value": "TSEnable" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "ValueName", "value": "TSEnable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "ie_ias_0000115C-0000-0000-0000-000000000000" }, { "name": "FileHandle", "value": "0x00000000" }, { "name": "FileName", "value": "" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f1c7b10000" }, { "name": "SectionOffset", "value": "0x47ccf6f3b0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000240" }, { "name": "SubKey", "value": "FEATURE_SYSTEM_DPI_AWARE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_SYSTEM_DPI_AWARE" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 639 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000023c" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000304" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000023c" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000304" }, { "name": "ValueName", "value": "CompatibilityFlags" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\CompatibilityFlags" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987463000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrLoadDll", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "IEShims.dll" }, { "name": "BaseAddress", "value": "0x00000000" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-28 21:56:13,245", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "IEShims.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-28 21:56:13,276", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff987463000" }, { "name": "ModuleName", "value": "IEFRAME.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-28 21:56:13,276", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-win-kernel32-errorhandling-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-28 21:56:13,292", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtCreateUserProcess", "status": false, "return": "0xffffffffc0000061", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\WerFault.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-28 21:56:13,292", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "CreateProcessInternalW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\WerFault.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748" }, { "name": "CreationFlags", "value": "0x00080000", "pretty_value": "EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "0" }, { "name": "ThreadId", "value": "0" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-28 21:56:13,292", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "ThreadHandle", "value": "0x0000031c" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\WerFault.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "4112" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-28 21:56:13,292", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\Wldp" }, { "name": "DllBase", "value": "0x7ff9a7a90000" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-28 21:56:13,292", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-28 21:56:13,292", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 654 }, { "timestamp": "2026-06-28 21:56:13,339", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-28 21:56:13,354", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\WerFault.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748" }, { "name": "CreationFlags", "value": "0x01080000", "pretty_value": "EXTENDED_STARTUPINFO_PRESENT|CREATE_BREAKAWAY_FROM_JOB" }, { "name": "ProcessId", "value": "4112" }, { "name": "ThreadId", "value": "4428" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "ThreadHandle", "value": "0x0000031c" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-28 21:56:13,745", "thread_id": "3412", "caller": "0x7ff7c193175f", "parentcaller": "0x7ff7c1931c06", "category": "system", "api": "NtRaiseHardError", "status": true, "return": "0x00000000", "arguments": [ { "name": "ErrorStatus", "value": "0xd0000144" }, { "name": "ResponseOptions", "value": "1" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-28 21:56:19,010", "thread_id": "3412", "caller": "0x7ff9aaa42672", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0xc06d007e" } ], "repeated": 0, "id": 658 } ], "threads": [ "3412", "3180", "2476", "4424", "4416", "3240", "4736" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff7c1930000", "MainExeSize": "0x000cc000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 4112, "process_name": "WerFault.exe", "parent_id": 4444, "module_path": "C:\\Windows\\System32\\WerFault.exe", "first_seen": "2026-06-28 21:56:13,395", "calls": [ { "timestamp": "2026-06-28 21:56:13,551", "thread_id": "4428", "caller": "0x7ff9aaa5c1e7", "parentcaller": "0x7ff9aaa5bf7a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\ntmarta" }, { "name": "BaseAddress", "value": "0x7ff9a6e00000" }, { "name": "InitRoutine", "value": "0x7ff9a6e06930" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-28 21:56:13,551", "thread_id": "4428", "caller": "0x7ff9a5d8668d", "parentcaller": "0x7ff9a5d94ebf", "category": "misc", "api": "HeapCreate", "status": true, "return": "0x29159f90000", "arguments": [ { "name": "Options", "value": "0" }, { "name": "InitialSize", "value": "0x00000000" }, { "name": "MaximumSize", "value": "0x00000000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-28 21:56:13,551", "thread_id": "4428", "caller": "0x7ff9a5d8668d", "parentcaller": "0x7ff9a5d94ebf", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wer" }, { "name": "BaseAddress", "value": "0x7ff9a5d40000" }, { "name": "InitRoutine", "value": "0x7ff9a5d94d80" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-28 21:56:13,551", "thread_id": "4428", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156bdc000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-28 21:56:13,551", "thread_id": "4428", "caller": "0x7ff99763125f", "parentcaller": "0x7ff9a834e473", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9a8494d86", "parentcaller": "0x7ff9976481dc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99780b000" }, { "name": "ModuleName", "value": "dbghelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156bdf000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a84632e1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-file-l1-2-1.dll" }, { "name": "BaseAddress", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a84632e1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a8430000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-file-l1-2-1.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff997648089", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a8430000" }, { "name": "FunctionName", "value": "GetTempPathW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a849e660" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9a8494d86", "parentcaller": "0x7ff99764826c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99780b000" }, { "name": "ModuleName", "value": "dbghelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9a8494d86", "parentcaller": "0x7ff99764826c", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\dbghelp" }, { "name": "BaseAddress", "value": "0x7ff997630000" }, { "name": "InitRoutine", "value": "0x7ff99764b1a0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaaae327", "parentcaller": "0x7ff9aaa0faf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa51fc5", "parentcaller": "0x7ff9aaa0faf7", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4428" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa05157", "parentcaller": "0x7ff9aaa043ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "UMPDC.dll" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa4f29b", "parentcaller": "0x7ff9aaa4f127", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\umpdc.dll" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa4fbbc", "parentcaller": "0x7ff9aaa4f6d0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\umpdc.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa4fc1e", "parentcaller": "0x7ff9aaa4f6d0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000230" }, { "name": "FileName", "value": "C:\\Windows\\System32\\umpdc.dll" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa04d42", "parentcaller": "0x7ff9aaa04aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000234" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f60000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aa9ffee4", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f70000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aa9fffb5", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f6a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aa9fffed", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f6a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa00068", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f6a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa0009c", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f6a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa05082", "parentcaller": "0x7ff9aaa079d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f6a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa4fc88", "parentcaller": "0x7ff9aaa4f6d0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa4fc91", "parentcaller": "0x7ff9aaa4f6d0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa37b9c", "parentcaller": "0x7ff9aaa2288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f6a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa37b9c", "parentcaller": "0x7ff9aaa2288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\UMPDC" }, { "name": "DllBase", "value": "0x7ff9a7f60000" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa5c1e7", "parentcaller": "0x7ff9aaa5bf7a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\umpdc" }, { "name": "BaseAddress", "value": "0x7ff9a7f60000" }, { "name": "InitRoutine", "value": "0x7ff9a7f63e30" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8020000" }, { "name": "ModuleName", "value": "powrprof.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8020000" }, { "name": "ModuleName", "value": "powrprof.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\powrprof" }, { "name": "BaseAddress", "value": "0x7ff9a8000000" }, { "name": "InitRoutine", "value": "0x7ff9a8003480" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa5c1e7", "parentcaller": "0x7ff9aaa5bf7a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\dbgcore" }, { "name": "BaseAddress", "value": "0x7ff998530000" }, { "name": "InitRoutine", "value": "0x7ff99854b730" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa5c1e7", "parentcaller": "0x7ff9aaa5bf7a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\Faultrep" }, { "name": "BaseAddress", "value": "0x7ff997fb0000" }, { "name": "InitRoutine", "value": "0x7ff997ff4ce0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4428", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff711d02400" }, { "name": "Parameter", "value": "0xce499f5000" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4300", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4300", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62f10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "2608", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "2608", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a63070" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4660", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4660", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62e50" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4884", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-28 21:56:13,567", "thread_id": "4884", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62a40" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711d02881", "parentcaller": "0x7ff711d022d9", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff711d02830" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711d0221e", "parentcaller": "0x7ff711d02319", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156be1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711d0221e", "parentcaller": "0x7ff711d02319", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585e7000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711cbe050", "parentcaller": "0x7ff711cda274", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000250" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711cbe0a1", "parentcaller": "0x7ff711cda274", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000250" }, { "name": "ValueName", "value": "TraceFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711cbe0d5", "parentcaller": "0x7ff711cda274", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711cbe050", "parentcaller": "0x7ff711cda297", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000250" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711cbe0a1", "parentcaller": "0x7ff711cda297", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000250" }, { "name": "ValueName", "value": "TraceFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-28 21:56:13,583", "thread_id": "4428", "caller": "0x7ff711cbe0d5", "parentcaller": "0x7ff711cda297", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wer.dll.3.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\Comctl32" }, { "name": "DllBase", "value": "0x7ff994050000" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "Comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff994050000", "arguments": [ { "name": "lpLibFileName", "value": "Comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5e1a000" }, { "name": "ModuleName", "value": "wer.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5e1a000" }, { "name": "ModuleName", "value": "wer.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5e1a000" }, { "name": "ModuleName", "value": "wer.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5e1a000" }, { "name": "ModuleName", "value": "wer.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a5b50000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a5b50000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a5b57ce0" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xea\\xa7I\\xce\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000260" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSCTF.dll" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000264" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9a10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00115000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aec000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aec000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156be2000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\n\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x7ff9a9a10000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msctf" }, { "name": "BaseAddress", "value": "0x7ff9a9a10000" }, { "name": "InitRoutine", "value": "0x7ff9a9a51520" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000274" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000274" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "f]\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\2\\Windows\\ThemeSection" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000274" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585a0000" }, { "name": "SectionOffset", "value": "0xce49a7e0e0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000278" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Windows\\Theme4054054479" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\2\\Windows\\Theme738112361" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585a0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000278" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29159e70000" }, { "name": "SectionOffset", "value": "0xce49a7e800" }, { "name": "ViewSize", "value": "0x000e2000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000027c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585a0000" }, { "name": "SectionOffset", "value": "0xce49a7e800" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa9f93b0" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f9b0" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa32450" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa4cb70" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" }, { "name": "MutexName", "value": "Local\\SM0:4112:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4724", "parentcaller": "0x7ff711d0237d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb83b0", "parentcaller": "0x7ff711cb4734", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Control\\MiniNT" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNT" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xf1\\xa7I\\xce\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x91\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x00\\x15k\\xf9\\x7f\\x00\\x00\\xe8\\xf2\\xa7I\\xce\\x00\\x00\\x00 \\x14\\xa2\\x86\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8,\\xc9\\x86\\xf9\\x7f\\x00\\x00" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000028c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000028c" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000028c" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 133 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000b8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-28 21:56:13,598", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000b8" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "NewUserDefaultConsent" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DontSendAdditionalData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DontSendAdditionalData" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Disabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Disabled" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Disabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Disabled" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "Consent" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "DefaultConsent" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "Consent" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "DefaultOverrideBehavior" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LoggingDisabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LoggingDisabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DontShowUI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DontShowUI" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueuePesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "DebugApplications" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassDataThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceUserModeCabCollection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassPowerThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassNetworkCostThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueueNoPesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "AutoApproveOSDumps" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29159f92000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29159f93000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585d0000" }, { "name": "RegionSize", "value": "0x0000d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "AutoApproveOSDumps" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LiveReportFlushInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "Consent" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "DefaultConsent" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "DefaultConsent" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "Consent" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "DefaultOverrideBehavior" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "DefaultOverrideBehavior" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueuePesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "DebugApplications" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassDataThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceUserModeCabCollection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassPowerThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassNetworkCostThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueueNoPesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LiveReportFlushInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueuePesterInterval" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "DebugApplications" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassDataThrottling" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceUserModeCabCollection" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassPowerThrottling" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassNetworkCostThrottling" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueueNoPesterInterval" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LiveReportFlushInterval" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29159f95000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueuePesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceQueue" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MaxQueueCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MaxArchiveCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ConfigureArchive" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableArchive" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "DebugApplications" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerUseSSL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerPortNumber" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerUseAuthentication" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassDataThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceUserModeCabCollection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassPowerThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassNetworkCostThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueueNoPesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MinFreeDiskSpace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LiveReportFlushInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CabArchiveFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceHeapDump" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceMetadata" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Source" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Source" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "User" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\User" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "StorePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\StorePath" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceEtw" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerUploadOnFreeNetworksOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "UploadOnFreeNetworksOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CabArchiveSeparate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CabArchiveCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LocalCompression" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableWerUpload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableEnterpriseAuthProxy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ArchiveFolderCountLimit" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueueSizeMaxPercentFreeDisk" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MinQueueSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MaxRetriesForSasRenewal" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "NoHeapDumpOnQueue" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DeferCabUpload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\Windows Error Reporting" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueuePesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceQueue" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-28 21:56:13,614", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MaxQueueCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MaxArchiveCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ConfigureArchive" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableArchive" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000290" }, { "name": "SubKey", "value": "DebugApplications" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerUseSSL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerPortNumber" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerUseAuthentication" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassDataThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceUserModeCabCollection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassPowerThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "BypassNetworkCostThrottling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueueNoPesterInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MinFreeDiskSpace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LiveReportFlushInterval" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CabArchiveFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceHeapDump" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceMetadata" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Source" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "User" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "StorePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ForceEtw" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CorporateWerUploadOnFreeNetworksOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "UploadOnFreeNetworksOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CabArchiveSeparate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "CabArchiveCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "LocalCompression" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableWerUpload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableEnterpriseAuthProxy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ArchiveFolderCountLimit" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "QueueSizeMaxPercentFreeDisk" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MinQueueSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MaxRetriesForSasRenewal" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "NoHeapDumpOnQueue" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DeferCabUpload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa9f0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQuerySecurityPolicy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f8d0" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 284 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000b8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000b8" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "AllowTelemetry" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa9f0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlIsStateSeparationEnabled" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa68480" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "1" }, { "name": "MaxSubKeyLength", "value": "45" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000294" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000290" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "AllowTelemetry" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "policymanager.dll" }, { "name": "BaseAddress", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a35e0000", "arguments": [ { "name": "lpLibFileName", "value": "policymanager.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a35e0000" }, { "name": "FunctionName", "value": "PolicyManager_GetPolicy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a35e6570" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a35e0000" }, { "name": "FunctionName", "value": "PolicyManager_FreeGetPolicyData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a35e9490" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a95f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a95f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-28 21:56:13,629", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Value" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ConfigureTelemetryOptInSettingsUx_ProviderSet" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156be4000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7200000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a35e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa9f0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQuerySecurityPolicy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f8d0" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 350 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000b8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000b8" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "AllowTelemetry" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa9f0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlIsStateSeparationEnabled" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa68480" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "1" }, { "name": "MaxSubKeyLength", "value": "45" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000270" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "AllowTelemetry" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "policymanager.dll" }, { "name": "BaseAddress", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a35e0000", "arguments": [ { "name": "lpLibFileName", "value": "policymanager.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a35e0000" }, { "name": "FunctionName", "value": "PolicyManager_GetPolicy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a35e6570" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a35e0000" }, { "name": "FunctionName", "value": "PolicyManager_FreeGetPolicyData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a35e9490" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Value" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ConfigureTelemetryOptInSettingsUx_ProviderSet" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7200000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a35e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa9f0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQuerySecurityPolicy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f8d0" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 413 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000b8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000b8" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "AllowTelemetry" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa9f0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlIsStateSeparationEnabled" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa68480" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "1" }, { "name": "MaxSubKeyLength", "value": "45" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000270" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00000101", "pretty_value": "KEY_QUERY_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x00000270" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "AllowTelemetry" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-28 21:56:13,645", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "policymanager.dll" }, { "name": "BaseAddress", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a35e0000", "arguments": [ { "name": "lpLibFileName", "value": "policymanager.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a35e0000" }, { "name": "FunctionName", "value": "PolicyManager_GetPolicy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a35e6570" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a35e0000" }, { "name": "FunctionName", "value": "PolicyManager_FreeGetPolicyData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a35e9490" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a367d000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "Value" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\System" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "ConfigureTelemetryOptInSettingsUx_ProviderSet" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\DataCollection" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisableTelemetryOptInSettingsUx" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7200000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a35e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "MSFTInternal" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\MSFTInternal" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\SQMClient" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "MSFTInternal" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Policies\\Microsoft\\SQMClient" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "IsTest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\IsTest" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-28 21:56:13,661", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\SQMClient" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "ValueName", "value": "IsTest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000270" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000270" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000026c" }, { "name": "IoControlCode", "value": "0x006d0030", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH" }, { "name": "InBuffer", "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x002\\x00\\x00\\x03" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000270" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "FileInformationClass", "value": "48", "pretty_value": "FileNetworkPhysicalNameInformation" }, { "name": "FileInformation", "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "MutexName", "value": "Local\\SM0:4112:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000294" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000294" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000298" }, { "name": "IoControlCode", "value": "0x006d0030", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH" }, { "name": "InBuffer", "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x002\\x00\\x00\n" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000294" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "FileInformationClass", "value": "48", "pretty_value": "FileNetworkPhysicalNameInformation" }, { "name": "FileInformation", "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "FileHandle", "value": "0x29156bb0000" }, { "name": "DesiredAccess", "value": "0x00160080", "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|WRITE_DAC|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000029c" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000029c" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002a0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000002a0" }, { "name": "IoControlCode", "value": "0x006d0030", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH" }, { "name": "InBuffer", "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x002\\x00\\x00\\x02" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000029c" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp" }, { "name": "FileInformationClass", "value": "48", "pretty_value": "FileNetworkPhysicalNameInformation" }, { "name": "FileInformation", "value": "N\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5e1a000" }, { "name": "ModuleName", "value": "wer.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5e1a000" }, { "name": "ModuleName", "value": "wer.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002a0" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002a0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-28 21:56:13,676", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000298" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000298" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002a4" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000298" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002a4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000002a4" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\xfa@4I\\xb9\\x02\\xc7\\xd8\\xc9\\xb1\\xbb\\xec\n\\x9dzD\\xa9\\x95\\xefa=\\x13p:\\xd4fB\\x86H\\xca\\xdb\\xa8-\\x8e\\x89\\x1aq>9?\\xd4\\xe2NG`J\\xb5\\x86" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0xc0010000", "pretty_value": "GENERIC_READ|GENERIC_WRITE|DELETE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\5e529681-15ec-4457-b87b-a2ba4e8575ff" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 551 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "FileInformationClass", "value": "9", "pretty_value": "FileNameInformation" }, { "name": "FileInformation", "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002ac" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000002ac" }, { "name": "IoControlCode", "value": "0x006d0030", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH" }, { "name": "InBuffer", "value": ".\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x002\\x00\\x00\\x03" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000298" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\Windows\\WER" }, { "name": "FileInformationClass", "value": "48", "pretty_value": "FileNetworkPhysicalNameInformation" }, { "name": "FileInformation", "value": "D\\x00\\x00\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00W\\x00E\\x00R\\x00" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4744", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb49c9", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156be6000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb49c9", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156be6000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb49c9", "parentcaller": "0x7ff711d0237d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29156be6000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4ad9", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4af9", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4b19", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4b39", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb4b5c", "parentcaller": "0x7ff711d0237d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb3ace", "parentcaller": "0x7ff711d04b28", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711cb3aeb", "parentcaller": "0x7ff711d04b28", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "mscoree.dll" }, { "name": "ModuleHandle", "value": "0x291585e1268" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-28 21:56:13,692", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0x8007053d" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585b0000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x291585d0000" }, { "name": "RegionSize", "value": "0x0000d000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29159f90000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000200" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f4" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f0" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b8" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001bc" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000bc" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ac" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000190" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000194" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000018c" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000174" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000178" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000017c" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000180" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000184" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000188" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000016c" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000170" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000168" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000148" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000150" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000154" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000158" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000015c" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000164" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000160" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000128" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000012c" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000124" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000120" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000118" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000011c" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000110" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000010c" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f8" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e0" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e4" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e8" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000ec" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f0" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000100" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000dc" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000d4" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000d8" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000c0" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000c4" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000008c" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000090" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000094" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000094" }, { "name": "ValueName", "value": "DisableMetaFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000094" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000094" }, { "name": "ValueName", "value": "DisableUmpdBufferSizeCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-28 21:56:13,708", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000088" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000084" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000080" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c8" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000070" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000054" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000044" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000048" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000050" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-28 21:56:13,723", "thread_id": "4428", "caller": "0x7ff711d02394", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x8007053d" } ], "repeated": 0, "id": 684 } ], "threads": [ "4428", "4300", "2608", "4660", "4884" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff711cb0000", "MainExeSize": "0x0008e000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "iexplore.exe", "pid": 4444, "parent_id": 2892, "module_path": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe", "children": [ { "name": "WerFault.exe", "pid": 4112, "parent_id": 4444, "module_path": "C:\\Windows\\System32\\WerFault.exe", "children": [], "threads": [ "4428", "4300", "2608", "4660", "4884" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff711cb0000", "MainExeSize": "0x0008e000", "Bitness": "64-bit" } } ], "threads": [ "3412", "3180", "2476", "4424", "4416", "3240", "4736" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff7c1930000", "MainExeSize": "0x000cc000", "Bitness": "64-bit" } } ], "summary": { "files": [ "\\Device\\CNG", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\msIso.dll", "C:\\Windows\\System32\\msIso.dll", "C:\\Windows\\System32\\kernel.appcore.dll", "C:\\Windows\\system32", "C:\\Windows", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\IEFRAME.dll", "C:\\Windows\\System32\\ieframe.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\NETAPI32.dll", "C:\\Windows\\System32\\netapi32.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\VERSION.dll", "C:\\Windows\\System32\\version.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\USERENV.dll", "C:\\Windows\\System32\\userenv.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\WINHTTP.dll", "C:\\Windows\\System32\\winhttp.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\WKSCLI.DLL", "C:\\Windows\\System32\\wkscli.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\NETUTILS.DLL", "C:\\Windows\\System32\\netutils.dll", "C:\\Windows\\System32\\umpdc.dll", "C:\\Windows\\System32\\wer.dll.3.Manifest", "C:\\ProgramData\\Microsoft\\Windows\\WER", "\\??\\MountPointManager", "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue", "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp", "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\5e529681-15ec-4457-b87b-a2ba4e8575ff" ], "read_files": [], "write_files": [ "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp", "C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\5e529681-15ec-4457-b87b-a2ba4e8575ff" ], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLESAFESEARCHPATH_KB963027", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\Software\\Policies", "HKEY_CURRENT_USER\\Software\\Policies", "HKEY_CURRENT_USER\\Software", "HKEY_LOCAL_MACHINE\\Software", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Low Rights", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights\\ProtectedModeOffForAllZones", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AppV", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\WMITelemetry", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\WMITelemetry", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\WMITelemetry", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\WMITelemetry", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Safety\\PrivacIE", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Safety\\PrivacIE", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Safety\\PrivacIE", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Safety\\PrivacIE", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "HKEY_CURRENT_USER\\Software\\Classes", "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\iexplore.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{F686878F-7B42-4CC4-96FB-F4F3B6E3D24D}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "HKEY_LOCAL_MACHINE\\Software\\Classes\\PackagedCom", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_SYSTEM_DPI_AWARE", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\CompatibilityFlags", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNT", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Source", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\User", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\StorePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\MSFTInternal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\IsTest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights\\ProtectedModeOffForAllZones", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AppV", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\CompatibilityFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Source", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\User", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\StorePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\MSFTInternal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\IsTest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "write_keys": [ "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData" ], "delete_keys": [ "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation" ], "executed_commands": [ "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748" ], "resolved_apis": [], "mutexes": [ "Local\\SM0:4444:304:WilStaging_02", "Local\\SM0:4112:304:WilStaging_02", "Local\\SM0:4112:120:WilError_03" ], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,073", "eid": 1, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,120", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,120", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,120", "eid": 4, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,120", "eid": 5, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,120", "eid": 6, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,120", "eid": 7, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 8, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 9, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 10, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 11, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 12, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 13, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 14, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 15, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 16, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 17, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 18, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 19, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 20, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 21, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,135", "eid": 22, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa760000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,135", "eid": 23, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 24, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,135", "eid": 25, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa3d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,135", "eid": 26, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 27, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Low Rights\\ProtectedModeOffForAllZones", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,135", "eid": 28, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,182", "eid": 29, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,198", "eid": 30, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,198", "eid": 31, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:13,198", "eid": 32, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,198", "eid": 33, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:13,198", "eid": 34, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,198", "eid": 35, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2026-06-28 21:56:13,198", "eid": 36, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\OperationalData", "content": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "delete", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 37, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 38, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 39, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 40, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 41, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Isolation64Bit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 42, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AppV", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 43, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 44, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\HangRecovery", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,214", "eid": 45, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,214", "eid": 46, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ff9a5b50000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,214", "eid": 47, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,214", "eid": 48, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,229", "eid": 49, "data": { "file": "api-ms-win-downlevel-ole32-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9a96b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,229", "eid": 50, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,229", "eid": 51, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,229", "eid": 52, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,229", "eid": 53, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,229", "eid": 54, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,229", "eid": 55, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,229", "eid": 56, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,229", "eid": 57, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,229", "eid": 58, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "content": "combase.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,229", "eid": 59, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,229", "eid": 60, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,245", "eid": 61, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,245", "eid": 62, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,245", "eid": 63, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,245", "eid": 64, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,245", "eid": 65, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TSEnable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,245", "eid": 66, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\CompatibilityFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,245", "eid": 67, "data": { "file": "IEShims.dll", "pathtofile": null, "moduleaddress": "0x00000000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,245", "eid": 68, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,276", "eid": 69, "data": { "file": "ext-ms-win-kernel32-errorhandling-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa3d0000" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:13,292", "eid": 70, "data": { "file": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,339", "eid": 71, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:13,354", "eid": 72, "data": { "file": "C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,567", "eid": 73, "data": { "file": "api-ms-win-core-file-l1-2-1.dll", "pathtofile": null, "moduleaddress": "0x7ff9a8430000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,567", "eid": 74, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,583", "eid": 75, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,583", "eid": 76, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\TraceFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,598", "eid": 77, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,598", "eid": 78, "data": { "file": "Comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,598", "eid": 79, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,598", "eid": 80, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ff9a5b50000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,598", "eid": 81, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,598", "eid": 82, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,598", "eid": 83, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,598", "eid": 84, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,598", "eid": 85, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 86, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\NewUserDefaultConsent", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 87, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 88, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 89, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 90, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 91, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 92, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 93, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 94, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 95, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 96, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 97, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 98, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 99, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\AutoApproveOSDumps", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 111, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 118, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 119, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 120, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 121, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 122, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 123, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 124, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 125, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 126, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 127, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 129, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 142, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 143, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 145, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\Source", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\User", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 147, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\StorePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 148, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,614", "eid": 164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 169, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassPowerThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 175, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassNetworkCostThrottling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueNoPesterInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinFreeDiskSpace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LiveReportFlushInterval", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceHeapDump", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceMetadata", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Source", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\User", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\StorePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceEtw", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUploadOnFreeNetworksOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\UploadOnFreeNetworksOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveSeparate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CabArchiveCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalCompression", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 191, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableWerUpload", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 192, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableEnterpriseAuthProxy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 193, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ArchiveFolderCountLimit", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 194, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueueSizeMaxPercentFreeDisk", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 195, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MinQueueSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 196, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxRetriesForSasRenewal", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 197, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\NoHeapDumpOnQueue", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 198, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DeferCabUpload", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,629", "eid": 199, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,629", "eid": 200, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 201, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,629", "eid": 202, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,629", "eid": 203, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 204, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,629", "eid": 205, "data": { "file": "policymanager.dll", "pathtofile": null, "moduleaddress": "0x7ff9a35e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,629", "eid": 206, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 207, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 208, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 209, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 210, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 211, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 212, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 213, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "content": "DisableTelemetryOptInSettingsUx" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,629", "eid": 218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 225, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 226, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 227, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 229, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 230, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 232, "data": { "file": "policymanager.dll", "pathtofile": null, "moduleaddress": "0x7ff9a35e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 233, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 239, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "content": "DisableTelemetryOptInSettingsUx" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 241, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 243, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 252, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 253, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 254, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 256, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,645", "eid": 257, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,645", "eid": 258, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\\Users\\S-1-5-21-3262678163-160926255-2192883574-1002\\AllowTelemetry", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,661", "eid": 259, "data": { "file": "policymanager.dll", "pathtofile": null, "moduleaddress": "0x7ff9a35e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,661", "eid": 260, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\PolicyType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 262, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 263, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\MergeAlgorithm", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyname", "content": "DisableTelemetryOptInSettingsUx" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\DataCollection" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicyismultisz", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 274, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx\\Value", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 276, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 277, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\System\\ConfigureTelemetryOptInSettingsUx_ProviderSet", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 278, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableTelemetryOptInSettingsUx", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,661", "eid": 279, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 280, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\MSFTInternal", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 281, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\MSFTInternal", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,661", "eid": 282, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\IsTest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,676", "eid": 283, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\IsTest", "content": null } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:13,676", "eid": 284, "data": { "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:13,676", "eid": 285, "data": { "file": "C:\\ProgramData\\Microsoft\\Windows\\WER" } }, { "event": "create", "object": "dir", "timestamp": "2026-06-28 21:56:13,676", "eid": 286, "data": { "file": "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,676", "eid": 287, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,692", "eid": 288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,692", "eid": 289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,692", "eid": 290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,692", "eid": 291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,692", "eid": 292, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,692", "eid": 293, "data": { "file": "mscoree.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,708", "eid": 294, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,708", "eid": 295, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,708", "eid": 296, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,708", "eid": 297, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,708", "eid": 298, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,708", "eid": 299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:13,708", "eid": 300, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,708", "eid": 301, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:13,723", "eid": 302, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [], "com_activations": [] } }, "debug": { "log": "2026-06-28 14:55:57,610 [root] INFO: Date set to: 20260629T10:43:25, timeout set to: 20\n2026-06-29 10:43:25,263 [root] DEBUG: Starting analyzer from: C:\\2_6me6uj\n2026-06-29 10:43:25,264 [root] DEBUG: Storing results at: C:\\ACkZhSvQBI\n2026-06-29 10:43:25,264 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\hWpGIVU\n2026-06-29 10:43:25,265 [root] DEBUG: Python path: C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\n2026-06-29 10:43:25,265 [root] INFO: analysis running as an admin\n2026-06-29 10:43:25,266 [root] INFO: analysis package specified: \"exe\"\n2026-06-29 10:43:25,267 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2026-06-29 10:43:25,274 [root] DEBUG: imported analysis package \"exe\"\n2026-06-29 10:43:25,275 [root] DEBUG: initializing analysis package \"exe\"...\n2026-06-29 10:43:25,275 [lib.common.common] INFO: no wrapping\n2026-06-29 10:43:25,276 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-29 10:43:25,277 [root] DEBUG: New location of moved file: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe\n2026-06-29 10:43:25,278 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll option\n2026-06-29 10:43:25,278 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll_64 option\n2026-06-29 10:43:25,279 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2026-06-29 10:43:25,279 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2026-06-29 10:43:25,368 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-06-29 10:43:25,381 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-06-29 10:43:25,431 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-06-29 10:43:25,475 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-06-29 10:43:25,489 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-06-29 10:43:25,490 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-06-29 10:43:25,491 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-06-29 10:43:25,494 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-06-29 10:43:25,495 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-06-29 10:43:25,495 [root] DEBUG: attempting to configure 'Browser' from data\n2026-06-29 10:43:25,496 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-06-29 10:43:25,496 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-06-29 10:43:26,535 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-06-29 10:43:26,536 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-06-29 10:43:26,536 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-06-29 10:43:26,536 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-06-29 10:43:26,536 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-06-29 10:43:26,536 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-06-28 14:56:01,779 [modules.auxiliary.digisig] DEBUG: File has an invalid signature\n2026-06-28 14:56:01,780 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-06-28 14:56:01,782 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-06-28 14:56:01,783 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-06-28 14:56:01,783 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-06-28 14:56:01,784 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-06-28 14:56:01,784 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-06-28 14:56:01,795 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3604)\n2026-06-28 14:56:01,800 [modules.auxiliary.disguise] INFO: Disguising GUID to 842c770e-8d4c-479e-81ce-001439b61ed1\n2026-06-28 14:56:01,800 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-06-28 14:56:01,801 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-06-28 14:56:01,801 [root] DEBUG: attempting to configure 'Human' from data\n2026-06-28 14:56:01,802 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-06-28 14:56:01,802 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-06-28 14:56:01,829 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-06-28 14:56:01,832 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-06-28 14:56:01,833 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-06-28 14:56:01,833 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-06-28 14:56:01,834 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-06-28 14:56:01,836 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-06-28 14:56:01,836 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-06-28 14:56:01,836 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-06-28 14:56:01,836 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-06-28 14:56:01,836 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-06-28 14:56:01,837 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-06-28 14:56:01,842 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-06-28 14:56:01,842 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-06-28 14:56:08,317 [root] INFO: Restarting WMI Service\n2026-06-28 14:56:10,547 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2026-06-28 14:56:10,548 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2026-06-28 14:56:10,549 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-28 14:56:10,557 [lib.api.process] INFO: Successfully executed process from path \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe\" with arguments \"\" with pid 4444\n2026-06-28 14:56:10,789 [lib.api.process] INFO: Monitor config for process 4444: C:\\2_6me6uj\\dll\\4444.ini\n2026-06-28 14:56:10,802 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\VUYJWNos.dll, loader C:\\2_6me6uj\\bin\\OGrOjvpd.exe\n2026-06-28 14:56:10,821 [root] DEBUG: Loader: Injecting process 4444 (thread 3412) with C:\\2_6me6uj\\dll\\VUYJWNos.dll.\n2026-06-28 14:56:10,822 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:10,823 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\VUYJWNos.dll.\n2026-06-28 14:56:10,826 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:12,839 [lib.api.process] INFO: Successfully resumed process with pid 4444\n2026-06-28 14:56:12,865 [root] DEBUG: 4444: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:12,869 [root] DEBUG: 4444: Disabling sleep skipping.\n2026-06-28 14:56:12,870 [root] DEBUG: 4444: Dropped file limit defaulting to 100.\n2026-06-28 14:56:12,886 [root] DEBUG: 4444: YaraInit: Compiled 44 rule files\n2026-06-28 14:56:12,889 [root] DEBUG: 4444: YaraInit: Compiled rules saved to file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-28 14:56:12,945 [root] DEBUG: 4444: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-28 14:56:12,946 [root] DEBUG: 4444: YaraScan: Scanning 0x00007FF7C1930000, size 0xcb0bb\n2026-06-28 14:56:12,960 [root] DEBUG: 4444: Monitor initialised: 64-bit capemon loaded in process 4444 at 0x00007FF986960000, thread 3412, image base 0x00007FF7C1930000, stack from 0x00000047CCF61000-0x00000047CCF70000\n2026-06-28 14:56:12,963 [root] DEBUG: 4444: Commandline: \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\iexplore.exe\"\n2026-06-28 14:56:12,978 [root] DEBUG: 4444: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-28 14:56:13,033 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-28 14:56:13,034 [root] DEBUG: 4444: set_hooks: Unable to hook LockResource\n2026-06-28 14:56:13,051 [root] DEBUG: 4444: Hooked 630 out of 631 functions\n2026-06-28 14:56:13,060 [root] DEBUG: 4444: Syscall hook installed, syscall logging level 1\n2026-06-28 14:56:13,076 [root] DEBUG: 4444: RestoreHeaders: Restored original import table.\n2026-06-28 14:56:13,079 [root] INFO: Loaded monitor into process with pid 4444\n2026-06-28 14:56:13,084 [root] DEBUG: 4444: caller_dispatch: Added region at 0x00007FF7C1930000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7C1931DF1, thread 3412).\n2026-06-28 14:56:13,086 [root] DEBUG: 4444: YaraScan: Scanning 0x00007FF7C1930000, size 0xcb0bb\n2026-06-28 14:56:13,100 [root] DEBUG: 4444: ProcessImageBase: Main module image at 0x00007FF7C1930000 unmodified (entropy change 0.000000e+00)\n2026-06-28 14:56:13,104 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-28 14:56:13,112 [root] DEBUG: 4444: DLL loaded at 0x00007FF99E3A0000: C:\\Windows\\SYSTEM32\\msIso (0x54000 bytes).\n2026-06-28 14:56:13,119 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-28 14:56:13,161 [root] DEBUG: 4444: DLL loaded at 0x00007FF99E260000: C:\\Windows\\SYSTEM32\\NETAPI32 (0x18000 bytes).\n2026-06-28 14:56:13,163 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A3240000: C:\\Windows\\SYSTEM32\\VERSION (0xa000 bytes).\n2026-06-28 14:56:13,165 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A7F80000: C:\\Windows\\SYSTEM32\\USERENV (0x2e000 bytes).\n2026-06-28 14:56:13,171 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A1C10000: C:\\Windows\\SYSTEM32\\WINHTTP (0x108000 bytes).\n2026-06-28 14:56:13,172 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A7290000: C:\\Windows\\SYSTEM32\\WKSCLI (0x17000 bytes).\n2026-06-28 14:56:13,174 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A75F0000: C:\\Windows\\SYSTEM32\\NETUTILS (0xc000 bytes).\n2026-06-28 14:56:13,175 [root] DEBUG: 4444: DLL loaded at 0x00007FF986D30000: C:\\Windows\\SYSTEM32\\IEFRAME (0x757000 bytes).\n2026-06-28 14:56:13,193 [root] DEBUG: 4444: DLL loaded at 0x00007FF994050000: C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32 (0x29a000 bytes).\n2026-06-28 14:56:13,212 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A5B50000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-06-28 14:56:13,243 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-28 14:56:13,288 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A7A90000: C:\\Windows\\SYSTEM32\\Wldp (0x2c000 bytes).\n2026-06-28 14:56:13,290 [root] DEBUG: 4444: DLL loaded at 0x00007FF9A6230000: C:\\Windows\\SYSTEM32\\windows.storage (0x790000 bytes).\n2026-06-28 14:56:13,300 [root] DEBUG: 4444: CreateProcessHandler: Injection info set for new process 4112: C:\\Windows\\system32\\WerFault.exe, ImageBase: 0x00007FF711CB0000\n2026-06-28 14:56:13,302 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 4112\n2026-06-28 14:56:13,302 [lib.api.process] INFO: Monitor config for process 4112: C:\\2_6me6uj\\dll\\4112.ini\n2026-06-28 14:56:13,306 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\VUYJWNos.dll, loader C:\\2_6me6uj\\bin\\OGrOjvpd.exe\n2026-06-28 14:56:13,320 [root] DEBUG: Loader: Injecting process 4112 (thread 4428) with C:\\2_6me6uj\\dll\\VUYJWNos.dll.\n2026-06-28 14:56:13,321 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:13,322 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\VUYJWNos.dll.\n2026-06-28 14:56:13,326 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:13,332 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 4112\n2026-06-28 14:56:13,332 [lib.api.process] INFO: Monitor config for process 4112: C:\\2_6me6uj\\dll\\4112.ini\n2026-06-28 14:56:13,334 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\VUYJWNos.dll, loader C:\\2_6me6uj\\bin\\OGrOjvpd.exe\n2026-06-28 14:56:13,345 [root] DEBUG: Loader: Injecting process 4112 (thread 4428) with C:\\2_6me6uj\\dll\\VUYJWNos.dll.\n2026-06-28 14:56:13,346 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2026-06-28 14:56:13,346 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\VUYJWNos.dll.\n2026-06-28 14:56:13,349 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:13,391 [root] DEBUG: 4112: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:13,392 [root] DEBUG: 4112: Dropped file limit defaulting to 100.\n2026-06-28 14:56:13,399 [root] DEBUG: 4112: Disabling sleep skipping.\n2026-06-28 14:56:13,407 [root] DEBUG: 4112: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-28 14:56:13,429 [root] DEBUG: 4112: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-28 14:56:13,430 [root] DEBUG: 4112: YaraScan: Scanning 0x00007FF711CB0000, size 0x8d440\n2026-06-28 14:56:13,441 [root] DEBUG: 4112: Monitor initialised: 64-bit capemon loaded in process 4112 at 0x00007FF986960000, thread 4428, image base 0x00007FF711CB0000, stack from 0x000000CE49A74000-0x000000CE49A80000\n2026-06-28 14:56:13,442 [root] DEBUG: 4112: Commandline: C:\\Windows\\system32\\WerFault.exe -u -p 4444 -s 748\n2026-06-28 14:56:13,458 [root] DEBUG: 4112: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-28 14:56:13,513 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-28 14:56:13,514 [root] DEBUG: 4112: set_hooks: Unable to hook LockResource\n2026-06-28 14:56:13,527 [root] DEBUG: 4112: Hooked 630 out of 631 functions\n2026-06-28 14:56:13,541 [root] DEBUG: 4112: Syscall hook installed, syscall logging level 1\n2026-06-28 14:56:13,549 [root] DEBUG: 4112: RestoreHeaders: Restored original import table.\n2026-06-28 14:56:13,551 [root] INFO: Loaded monitor into process with pid 4112\n2026-06-28 14:56:13,571 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A7F60000: C:\\Windows\\system32\\UMPDC (0x12000 bytes).\n2026-06-28 14:56:13,575 [root] DEBUG: 4112: caller_dispatch: Added region at 0x00007FF711CB0000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF711D02881, thread 4428).\n2026-06-28 14:56:13,576 [root] DEBUG: 4112: YaraScan: Scanning 0x00007FF711CB0000, size 0x8d440\n2026-06-28 14:56:13,591 [root] DEBUG: 4112: ProcessImageBase: Main module image at 0x00007FF711CB0000 unmodified (entropy change 0.000000e+00)\n2026-06-28 14:56:13,597 [root] DEBUG: 4112: DLL loaded at 0x00007FF994050000: C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\Comctl32 (0x29a000 bytes).\n2026-06-28 14:56:13,601 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A5B50000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-06-28 14:56:13,606 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A9A10000: C:\\Windows\\System32\\MSCTF (0x115000 bytes).\n2026-06-28 14:56:13,638 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A7200000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x8a000 bytes).\n2026-06-28 14:56:13,639 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A35E0000: C:\\Windows\\SYSTEM32\\policymanager (0xa0000 bytes).\n2026-06-28 14:56:13,651 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A7200000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x8a000 bytes).\n2026-06-28 14:56:13,652 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A35E0000: C:\\Windows\\SYSTEM32\\policymanager (0xa0000 bytes).\n2026-06-28 14:56:13,661 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A7200000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x8a000 bytes).\n2026-06-28 14:56:13,662 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A35E0000: C:\\Windows\\SYSTEM32\\policymanager (0xa0000 bytes).\n2026-06-28 14:56:13,687 [root] DEBUG: 4112: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-28 14:56:13,697 [root] DEBUG: 4112: NtTerminateProcess hook: Attempting to dump process 4112\n2026-06-28 14:56:13,699 [root] DEBUG: 4112: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-28 14:56:13,737 [root] INFO: Process with pid 4112 has terminated\n2026-06-29 03:43:47,816 [modules.auxiliary.human] INFO: Found button \"ok\", clicking it\n2026-06-29 03:43:48,848 [root] INFO: Process with pid 4444 has terminated\n2026-06-29 03:43:48,851 [root] DEBUG: 4444: NtTerminateProcess hook: Attempting to dump process 4444\n2026-06-29 03:43:48,853 [root] DEBUG: 4444: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 03:44:03,060 [root] INFO: Analysis timeout hit, terminating analysis\n2026-06-29 03:44:03,063 [root] INFO: Created shutdown mutex\n2026-06-29 03:44:04,075 [root] INFO: Shutting down package\n2026-06-29 03:44:04,076 [root] INFO: Stopping auxiliary modules\n2026-06-29 03:44:04,076 [root] INFO: Stopping auxiliary module: Browser\n2026-06-29 03:44:04,078 [root] INFO: Stopping auxiliary module: Human\n2026-06-29 03:44:08,200 [root] INFO: Stopping auxiliary module: Screenshots\n2026-06-29 03:44:08,201 [root] INFO: Finishing auxiliary modules\n2026-06-29 03:44:08,202 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-06-29 03:44:08,202 [root] WARNING: Folder at path \"C:\\ACkZhSvQBI\\debugger\" does not exist, skipping\n2026-06-29 03:44:08,203 [root] WARNING: Folder at path \"C:\\ACkZhSvQBI\\tlsdump\" does not exist, skipping\n2026-06-29 03:44:08,208 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "e87c01963be084f74fb501c60f49b00ebcd8555bb31627c8f8b7973ebfcd1ef3", "hosts": [ { "ip": "173.194.76.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "108.177.15.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "40.126.31.131", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "108.177.15.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.84", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "66.102.1.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.133.95", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.150.119", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.100", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.101", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.71.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.16.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [], "tcp": [ { "src": "192.168.122.139", "sport": 49696, "dst": "142.251.16.94", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.122.139", "sport": 49697, "dst": "74.125.71.94", "dport": 443, "offset": 95, "time": 0.03116607666015625 }, { "src": "192.168.122.139", "sport": 49698, "dst": "74.125.206.101", "dport": 443, "offset": 306, "time": 1.6099610328674316 }, { "src": "192.168.122.139", "sport": 49681, "dst": "142.251.168.100", "dport": 443, "offset": 447, "time": 4.812189102172852 }, { "src": "192.168.122.139", "sport": 49754, "dst": "142.251.168.139", "dport": 443, "offset": 1204, "time": 4.833383083343506 }, { "src": "192.168.122.139", "sport": 49755, "dst": "142.251.16.94", "dport": 443, "offset": 10377, "time": 5.001307964324951 }, { "src": "192.168.122.139", "sport": 49758, "dst": "150.171.110.117", "dport": 443, "offset": 63220, "time": 6.200372934341431 }, { "src": "192.168.122.139", "sport": 49679, "dst": "142.251.150.119", "dport": 443, "offset": 76087, "time": 7.046654939651489 }, { "src": "192.168.122.139", "sport": 49686, "dst": "74.125.133.95", "dport": 443, "offset": 76440, "time": 9.453073024749756 }, { "src": "192.168.122.139", "sport": 49687, "dst": "74.125.206.138", "dport": 443, "offset": 76581, "time": 9.874095916748047 }, { "src": "192.168.122.139", "sport": 49682, "dst": "66.102.1.138", "dport": 443, "offset": 76722, "time": 10.147125959396362 }, { "src": "192.168.122.139", "sport": 49680, "dst": "74.125.206.84", "dport": 443, "offset": 76863, "time": 17.05144691467285 }, { "src": "192.168.122.139", "sport": 49683, "dst": "108.177.15.94", "dport": 443, "offset": 77004, "time": 18.672138929367065 }, { "src": "192.168.122.139", "sport": 49761, "dst": "40.126.31.131", "dport": 443, "offset": 77661, "time": 22.044246912002563 }, { "src": "192.168.122.139", "sport": 49688, "dst": "108.177.15.139", "dport": 443, "offset": 88037, "time": 22.14532494544983 }, { "src": "192.168.122.139", "sport": 49693, "dst": "173.194.76.94", "dport": 443, "offset": 102418, "time": 27.125385999679565 }, { "src": "192.168.122.139", "sport": 49695, "dst": "108.177.15.139", "dport": 443, "offset": 196185, "time": 30.893821954727173 }, { "src": "192.168.122.139", "sport": 49764, "dst": "74.178.240.51", "dport": 443, "offset": 233788, "time": 33.95244002342224 }, { "src": "192.168.122.139", "sport": 49766, "dst": "74.179.77.204", "dport": 443, "offset": 243760, "time": 34.789982080459595 } ], "udp": [ { "src": "192.168.122.139", "sport": 5353, "dst": "224.0.0.251", "dport": 5353, "offset": 966, "time": 4.8317649364471436 }, { "src": "192.168.122.139", "sport": 59525, "dst": "224.0.0.252", "dport": 5355, "offset": 1791, "time": 4.834264039993286 }, { "src": "192.168.122.139", "sport": 59273, "dst": "192.168.122.1", "dport": 53, "offset": 14906, "time": 5.6360039710998535 }, { "src": "192.168.122.139", "sport": 59842, "dst": "192.168.122.1", "dport": 53, "offset": 15008, "time": 5.684099912643433 }, { "src": "192.168.122.139", "sport": 55147, "dst": "192.168.122.1", "dport": 53, "offset": 62632, "time": 5.991631031036377 }, { "src": "192.168.122.139", "sport": 64824, "dst": "192.168.122.1", "dport": 53, "offset": 102559, "time": 27.671994924545288 }, { "src": "192.168.122.139", "sport": 55237, "dst": "224.0.0.252", "dport": 5355, "offset": 102748, "time": 27.675348043441772 }, { "src": "192.168.122.139", "sport": 55238, "dst": "239.255.255.250", "dport": 1900, "offset": 195953, "time": 30.73062801361084 }, { "src": "192.168.122.139", "sport": 53847, "dst": "192.168.122.1", "dport": 53, "offset": 196860, "time": 33.009066104888916 }, { "src": "192.168.122.139", "sport": 56516, "dst": "192.168.122.1", "dport": 53, "offset": 232855, "time": 33.932199001312256 }, { "src": "192.168.122.139", "sport": 53459, "dst": "192.168.122.1", "dport": 53, "offset": 233227, "time": 33.94160509109497 }, { "src": "192.168.122.139", "sport": 51490, "dst": "192.168.122.1", "dport": 53, "offset": 237747, "time": 33.9890410900116 } ], "icmp": [], "http": [], "dns": [], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "ip": "173.194.76.94" }, { "ip": "108.177.15.139" }, { "ip": "40.126.31.131" }, { "ip": "108.177.15.94" }, { "ip": "74.125.206.84" }, { "ip": "66.102.1.138" }, { "ip": "74.125.206.138" }, { "ip": "74.125.133.95" }, { "ip": "142.251.150.119" }, { "ip": "142.251.168.139" }, { "ip": "142.251.168.100" }, { "ip": "74.125.206.101" }, { "ip": "74.125.71.94" }, { "ip": "142.251.16.94" } ], "new_data": [], "alert": false, "families": [] }, { "name": "antivm_checks_available_memory", "description": "Checks available memory", "categories": [ "antivm" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 4444, "cid": 123 } ], "new_data": [], "alert": false, "families": [] }, { "name": "exploit_heapspray", "description": "A possible heap spray exploit has been detected", "categories": [ "exploit" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 4444, "cid": 14 }, { "type": "call", "pid": 4444, "cid": 65 }, { "type": "call", "pid": 4444, "cid": 69 }, { "type": "call", "pid": 4444, "cid": 318 }, { "type": "call", "pid": 4444, "cid": 363 }, { "type": "call", "pid": 4444, "cid": 385 }, { "type": "call", "pid": 4444, "cid": 387 }, { "type": "call", "pid": 4444, "cid": 396 }, { "type": "call", "pid": 4444, "cid": 430 }, { "type": "call", "pid": 4444, "cid": 469 }, { "type": "call", "pid": 4444, "cid": 545 }, { "type": "call", "pid": 4444, "cid": 572 }, { "type": "call", "pid": 4444, "cid": 576 }, { "type": "call", "pid": 4444, "cid": 610 } ], "new_data": [], "alert": false, "families": [] }, { "name": "static_pe_pdbpath", "description": "The PE file contains a PDB path", "categories": [ "static" ], "severity": 1, "weight": 1, "confidence": 80, "references": [ "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" ], "data": [ { "pdbpath": "iexplore.pdb" } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 4444, "cid": 13 } ], "new_data": [], "alert": false, "families": [] }, { "name": "stealth_timeout", "description": "Possible date expiration check, exits too soon after checking local time", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "process": "iexplore.exe, PID 4444" }, { "type": "call", "pid": 4444, "cid": 658 } ], "new_data": [], "alert": false, "families": [] }, { "name": "language_check_registry", "description": "Checks system language via registry key (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" }, { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "new_data": [], "alert": false, "families": [] }, { "name": "privilege_elevation_check", "description": "Queries process token information to check for Administrator privileges or UAC elevation status", "categories": [ "discovery", "privilege_escalation" ], "severity": 2, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 4444, "cid": 142 }, { "type": "call", "pid": 4444, "cid": 401 }, { "type": "call", "pid": 4444, "cid": 581 } ], "new_data": [], "alert": false, "families": [] }, { "name": "query_fips_reconnaissance", "description": "Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software", "categories": [ "discovery", "c2" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 4444, "cid": 29 }, { "type": "call", "pid": 4444, "cid": 30 }, { "type": "call", "pid": 4444, "cid": 33 }, { "type": "call", "pid": 4444, "cid": 35 }, { "type": "call", "pid": 4444, "cid": 36 }, { "type": "call", "pid": 4112, "cid": 533 }, { "type": "call", "pid": 4112, "cid": 534 }, { "type": "call", "pid": 4112, "cid": 537 }, { "type": "call", "pid": 4112, "cid": 539 }, { "type": "call", "pid": 4112, "cid": 540 }, { "behavioral_fips_reconnaissance": [ "iexplore.exe (PID: 4444) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "WerFault.exe (PID: 4112) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "WerFault.exe (PID: 4112) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "iexplore.exe (PID: 4444) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "iexplore.exe (PID: 4444) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "iexplore.exe (PID: 4444) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "WerFault.exe (PID: 4112) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "WerFault.exe (PID: 4112) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "WerFault.exe (PID: 4112) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "iexplore.exe (PID: 4444) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "packer_unknown_pe_section_name", "description": "The binary contains an unknown PE section name indicative of packing", "categories": [ "packer" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "unknown section": { "name": "fothk", "raw_address": "0x00006000", "virtual_address": "0x00006000", "virtual_size": "0x00001000", "size_of_data": "0x00001000", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "0.02" } }, { "unknown section": { "name": ".didat", "raw_address": "0x0000c000", "virtual_address": "0x0000c000", "virtual_size": "0x00000038", "size_of_data": "0x00001000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.06" } } ], "new_data": [], "alert": false, "families": [] }, { "name": "contains_pe_overlay", "description": "The PE file contains an overlay", "categories": [ "static" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "overlay": "Contains overlay at offset 0x000cc000 with size: 10696 bytes" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 2.2, "ttps": [ { "signature": "antivm_checks_available_memory", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "privilege_elevation_check", "ttps": [ "T1033", "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "query_fips_reconnaissance", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "exploit_heapspray", "ttps": [ "T1203" ], "mbcs": [ "OB0009", "E1203", "OC0002", "C0006" ] }, { "signature": "packer_unknown_pe_section_name", "ttps": [ "T1027.002", "T1027" ], "mbcs": [ "OB0001", "OB0002", "OB0006", "F0001" ] }, { "signature": "contains_pe_overlay", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "static_pe_pdbpath", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] } ], "malstatus": "Clean" }