{ "statistics": { "processing": [ { "name": "CAPE", "time": 3.135 }, { "name": "AnalysisInfo", "time": 0.01 }, { "name": "BehaviorAnalysis", "time": 0.35 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 0.022 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antiemu_wine_func", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_sboxie_objects", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "hardware_id_profiling", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vbox_window", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "firefox_disables_process_tab", "time": 0.0 }, { "name": "amsi_enumeration", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "suspicious_ntdll_disk_load", "time": 0.0 }, { "name": "direct_syscall_evasion", "time": 0.0 }, { "name": "unbacked_syscall_execution", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "privilege_elevation_check", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "query_fips_reconnaissance", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "debugs_self", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_spdy", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "dllload_suspicious_directory", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "install_kernel_driver_service", "time": 0.0 }, { "name": "malformed_dll_loading", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "registers_vectored_exception_handler", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_module_stomping_probing", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "section_mapping_injection", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "apc_injection", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "interprocess_comms_mutex", "time": 0.0 }, { "name": "interprocess_comms_named_pipe", "time": 0.0 }, { "name": "interprocess_comms_shared_memory", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "unbacked_exception_filter", "time": 0.0 }, { "name": "unbacked_process_mitigation_alteration", "time": 0.0 }, { "name": "thread_unbacked_memory", "time": 0.0 }, { "name": "unbacked_api_resolution", "time": 0.0 }, { "name": "unbacked_dotnet_execution", "time": 0.0 }, { "name": "unbacked_library_load", "time": 0.0 }, { "name": "unbacked_memory_apc_execution", "time": 0.0 }, { "name": "unbacked_memory_protection_alteration", "time": 0.0 }, { "name": "unbacked_mutex_creation", "time": 0.0 }, { "name": "unbacked_process_creation", "time": 0.0 }, { "name": "unbacked_veh_registration", "time": 0.0 }, { "name": "unbacked_com_instantiation", "time": 0.0 }, { "name": "unbacked_crypto_operations", "time": 0.0 }, { "name": "unbacked_delay_execution", "time": 0.0 }, { "name": "unbacked_file_dropping", "time": 0.0 }, { "name": "unbacked_process_enumeration", "time": 0.0 }, { "name": "unbacked_registry_modification", "time": 0.0 }, { "name": "unbacked_service_manipulation", "time": 0.0 }, { "name": "unbacked_token_manipulation", "time": 0.0 }, { "name": "unbacked_wmi_execution", "time": 0.0 }, { "name": "unbacked_bind_shell", "time": 0.0 }, { "name": "unbacked_dns_resolution", "time": 0.0 }, { "name": "unbacked_memory_network_connection", "time": 0.0 }, { "name": "unbacked_named_pipe_creation", "time": 0.0 }, { "name": "unbacked_useragent_retrieval", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "etherhiding_smart_contract_call", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "decompress_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "ransomware_iocp_asynchronous_encryption", "time": 0.0 }, { "name": "kernel_crypto_driver_abuse", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_extension_hijack", "time": 0.0 }, { "name": "mass_file_modification_access", "time": 0.0 }, { "name": "ransomware_attribute_stripping", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "mass_ransom_note_drop", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_system_procname", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "byod_loldrivers_match", "time": 0.0 }, { "name": "byod_novel_driver", "time": 0.0 }, { "name": "byod_post_load_exploitation", "time": 0.0 }, { "name": "byod_driver_service_install", "time": 0.0 }, { "name": "com_spawned_process", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "pe_deep_entrypoint", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "pe_cert_invalid_signature", "time": 0.0 }, { "name": "pe_cert_self_signed", "time": 0.0 }, { "name": "pe_cert_suspicious_issuer", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "browser_credential_theft_headless", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.002 }, { "name": "antianalysis_detectreg", "time": 0.023 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.004 }, { "name": "antiav_detectreg", "time": 0.118 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.002 }, { "name": "antivm_generic_bios", "time": 0.001 }, { "name": "antivm_generic_diskreg", "time": 0.005 }, { "name": "antivm_hyperv_keys", "time": 0.002 }, { "name": "antivm_parallels_keys", "time": 0.006 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.002 }, { "name": "antivm_vbox_keys", "time": 0.013 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.001 }, { "name": "antivm_vmware_keys", "time": 0.009 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.004 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.006 }, { "name": "ketrican_regkeys", "time": 0.001 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "executes_headless_browser", "time": 0.0 }, { "name": "suspicious_browser_arguments", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.002 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.001 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "folder_enumeration", "time": 0.0 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.002 }, { "name": "infostealer_ftp", "time": 0.039 }, { "name": "infostealer_im", "time": 0.022 }, { "name": "infostealer_mail", "time": 0.007 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.003 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.0 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.0 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.0 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.004 }, { "name": "ransomware_files", "time": 0.006 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.038 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.008 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.008 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "test.bat", "path": "/opt/CAPEv2/storage/binaries/d5adc813fc59eb3112da0876d52643faf3b0ed8c54ae2ef70048269e683ce21e", "guest_paths": "", "size": 51, "crc32": "5565FD64", "md5": "3c81be5e67ce4c4974231d6a8dd5746e", "sha1": "ad8f07c8528442ce0a9f4fce436ed795fdd0f924", "sha256": "d5adc813fc59eb3112da0876d52643faf3b0ed8c54ae2ef70048269e683ce21e", "sha512": "20ee9c474247568a4d2c8d9f11dce8ed40716cac165ed996f9bb1df2cb6eb54922aa84bea56fb56a3646691ced1df1db35d280f91d3750524735eeadec0cdb2d", "rh_hash": null, "ssdeep": "3:gh2Z4MKLL7zYXI4MKLL7R:gh26MKjzGPMKjR", "type": "ASCII text, with CRLF line terminators", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T1D8900293DD014A473C121B02928311014A2110063008E43A0C418481540EC012317A14", "sha3_384": "9935c3f25f3cb57d9c15241ab33c52cd863acb88f465121be1f5c5c9ef6546685924b394179aeac5992d524098fa7e83", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "data": "systeminfo > information.txt\r\nstart information.txt", "strings": [], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 0, "cape_type": "" } }, "procdump": [ { "name": "238cf97018bf3c257a80f8509fc1efce6ac4a8bf5ff3a07dfbbdff994135f05f", "path": "/opt/CAPEv2/storage/analyses/55/procdump/238cf97018bf3c257a80f8509fc1efce6ac4a8bf5ff3a07dfbbdff994135f05f", "guest_paths": "1;?C:\\Windows\\System32\\cmd.exe;?C:\\Windows\\System32\\cmd.exe;?", "size": 403456, "crc32": "0890C02E", "md5": "3bee5fa8f71ac018b9497b31953aaf18", "sha1": "6fb800c2759d2ee532ea2387bd8cdae887462b3c", "sha256": "238cf97018bf3c257a80f8509fc1efce6ac4a8bf5ff3a07dfbbdff994135f05f", "sha512": "dcb3d282d0f04a5199c08856aa95daab3c3ed8cba0315141e8561be045366492619b817634d5655662db89161450060540bf19e2689d3082d5eff74fb2b40657", "rh_hash": null, "ssdeep": "6144:94WA1B7BxDfQWKORSqY4zOcmpdlc3MJdmtRl+m:01BvkWvSqY4zvmjO8JI4", "type": "PE32+ executable (console) x86-64, for MS Windows", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T1F9843A1D239818A5E5238179D903C276C6B27D346321A6EF22D0CD7B7F63AE97638F05", "sha3_384": "c0efeeb9ba33e106880c1b346272c85823a25496d5235347af235f49c978ec29fd9e9931446ed9e426a9752c7af98e5c", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\55\\test.bat", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x7ff79a450000", "entrypoint": "0x00018f50", "ep_bytes": "4883ec28e82b0600004883c428e91efe", "peid_signatures": null, "reported_checksum": "0x00000000", "actual_checksum": "0x00072588", "osversion": "10.0", "machine_type": "IMAGE_FILE_MACHINE_AMD64", "pdbpath": "cmd.pdb", "imports": {}, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x10000000", "size": "0x00000351" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x0005d000", "size": "0x000084f8" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00059000", "size": "0x00002334" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00066000", "size": "0x0000030c" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00035a60", "size": "0x00000054" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00032c10", "size": "0x00000118" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00039d20", "size": "0x00000080" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00001000", "virtual_size": "0x00031000", "size_of_data": "0x00031000", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.31" }, { "name": ".rdata", "raw_address": "0x00031400", "virtual_address": "0x00032000", "virtual_size": "0x0000b000", "size_of_data": "0x0000a600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "5.18" }, { "name": ".data", "raw_address": "0x0003ba00", "virtual_address": "0x0003d000", "virtual_size": "0x0001c000", "size_of_data": "0x0001be00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.14" }, { "name": ".pdata", "raw_address": "0x00057800", "virtual_address": "0x00059000", "virtual_size": "0x00003000", "size_of_data": "0x00002400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "5.49" }, { "name": ".didat", "raw_address": "0x00059c00", "virtual_address": "0x0005c000", "virtual_size": "0x00001000", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "1.34" }, { "name": ".rsrc", "raw_address": "0x00059e00", "virtual_address": "0x0005d000", "virtual_size": "0x00009000", "size_of_data": "0x00008600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "4.36" }, { "name": ".reloc", "raw_address": "0x00062400", "virtual_address": "0x00066000", "virtual_size": "0x00001000", "size_of_data": "0x00000400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.68" } ], "overlay": null, "resources": [ { "name": "MUI", "offset": "0x00065420", "size": "0x000000d8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.68" }, { "name": "RT_ICON", "offset": "0x0005d778", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.65" }, { "name": "RT_ICON", "offset": "0x0005dde0", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.44" }, { "name": "RT_ICON", "offset": "0x0005e0c8", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.17" }, { "name": "RT_ICON", "offset": "0x0005e1f0", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.06" }, { "name": "RT_ICON", "offset": "0x0005f098", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.07" }, { "name": "RT_ICON", "offset": "0x0005f940", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "0.71" }, { "name": "RT_ICON", "offset": "0x0005fea8", "size": "0x0000169e", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.85" }, { "name": "RT_ICON", "offset": "0x00061548", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.88" }, { "name": "RT_ICON", "offset": "0x00063af0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.97" }, { "name": "RT_ICON", "offset": "0x00064b98", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.17" }, { "name": "RT_GROUP_ICON", "offset": "0x00065000", "size": "0x00000092", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.90" }, { "name": "RT_VERSION", "offset": "0x00065098", "size": "0x00000388", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.50" }, { "name": "RT_MANIFEST", "offset": "0x0005d350", "size": "0x00000428", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.00" } ], "versioninfo": [ { "name": "CompanyName", "value": "Microsoft Corporation" }, { "name": "FileDescription", "value": "Windows Command Processor" }, { "name": "FileVersion", "value": "10.0.19041.746 (WinBuild.160101.0800)" }, { "name": "InternalName", "value": "cmd" }, { "name": "LegalCopyright", "value": "© Microsoft Corporation. All rights reserved." }, { "name": "OriginalFilename", "value": "Cmd.Exe" }, { "name": "ProductName", "value": "Microsoft® Windows® Operating System" }, { "name": "ProductVersion", "value": "10.0.19041.746" }, { "name": "Translation", "value": "0x0409 0x04b0" } ], "imphash": "", "timestamp": "2090-01-16 09:26:43", "icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAACp0lEQVR4nO2ZPW/TQByHH8cpUyWQ2NjKd+AjNK1U1ZGQkBjZYWNhQAIEUmFgKuwsSEhISElV0TeoVFUsnSLUgS6J2nRJA0mTpknss8OQ2thN3Z7Tl5ORH+lyf/sud7+fz3e+OJCQkBBrNIDnL2ceaZo2q1qMDJ1O+/HMqxfvAAvopQE0TZu9e+++MlHvP+QAePgge+bxl8+f3gIfgRpgpq9a7Em4QmWPgetAC78BPZWiUS2f2Vkv+BG5/Hidftav2/PlbvJz89ZtN0wDKTfon0nrzLx+868TXwMnxbLJcZyB2M2FENi2jRACy7K83DRN2u02nU4Hy7I8TT9/lQYuRir0MsUEz8Dx4YoLp45APp8nn8+Hli8sLFy4oKiEGsjlchiGgWEYzM3Neefn5+cD9RYXFy9PnQRSc2B6etqLp6amvHhychKApaWlC5Ylz7kn8cTEBADLy8vnFjMMUgZOu4UAMpkMACsrKxckSx7vOXB8Ecpms94EDruF/IyPjwdGYXV1NbTT0dFRAG/Nd9F1HV3XA88LaQPVWmOg0DCMMxsAME2TWq3G2NgYzWaTRqOBpmlS3/Vj2za2bYeWV37vD5wbei/UbDapVCrs7e1Rr9eHbebcRDIghGBnZ4dSqcTh4eFlaYqElIGDgwOKxSK7u7sIIS5bUyRONSCEYGtri2KxKDWhVOBbhYLLULlcZnNzk263e+WiojAwAo7jUCgU2N7eVqEnMgEDpmmysbFBtVpVpScyngHH6bG2tkar1VKpJzLeVkLYduzEw//0iyyuJAZUkxhQTWJANYkB1cTeQGA3+u1HQZWOoUkD7NfrmfXvX9W9XovAs6dP7gBdQMDRf2TACHDjKI2oEBaBLvAHaAC2a0CjPxrXAF2RMFkEfRPhL5ASEhLiw1+s5V9Z8HnusgAAAABJRU5ErkJggg==", "icon_hash": "00d152c1523e56c619d25f6c96c21a41", "icon_fuzzy": "e55641fba39eaff4ee89e5fc0af8f337", "icon_dhash": "a2ae7a370101a3c0" }, "data": null, "strings": [ "@A^_^", "message_size", "f9(u%H", "fD9,Ku", ";;u;H", "ResumeThread", "_wcslwr", ".CRT$XCA", "VirtualAlloc", "no such device or address", "d$0E3", " v;f98", "L$ht'A", "RtlCreateUnicodeStringFromAsciiz", ".text$di", "fE9$Ou", "iswxdigit", ".didat$4", "H+|$@H", " ", "GetEnvironmentStringsW", "fD9$nu", "RegEnumKeyExW", "RtlFindLeastSignificantBit", "LookupAccountSidWStub", ".pdata", "t$ WH", "8\\utH", "not supported", "memcmp", "fD9|F0u", "AutoRun", "AFFINITY", "MoveFileExW", "D95lB", "invalid string position", "f90u&H", "fD94{u", "D$ E3", "TerminateProcess", "LogHr", "D8L$iL", "no message", "api-ms-win-core-winrt-l1-1-0.dll", "|$ AVH", "api-ms-win-core-handle-l1-1-0.dll", "??0exception@@QEAA@AEBQEBDH@Z", "EnterCriticalSection", "_pclose", "t4f93t/H", "10.0.19041.746", "RegSetValueExW", "D9l$d", "no space on device", "@8=D!", "api-ms-win-core-file-l1-1-0.dll", "fD9tC", "Ungetting: '%s'", "chdir ", "_dup2", "fD94Bu", ">;u\\D", "nWindows Command Processor", "f;0u>H", "A_A^A]A\\_", "tBD9t$pu;H", "RANDOM", "fE9DE", "t$ UWATAVAWH", "(%s) %s ", "SHARED", "SetConsoleMode", "fD94Hu", "no link", "fD94~u", "u0D9d$ ", "L95NW", " true", "InitializeProcThreadAttributeList", "GetFileSize", "_wpopen", "CloseHandle", "SetEnvironmentStringsW", "UVWAVAWH", "api-ms-win-core-heap-l2-1-0.dll", "t~fA;", "CHDIR", " /K %s", "fD9tfI", "NtFsControlFile", "PATHEXT", " A_A^A]A\\_^]", "L$@fA", ".data$dk00$brc", "ext-ms-win-shell-shell32-l1-2-1", "fD9l$ ", "CmdBatNotificationStub", "D8L$h", "Se%ae`", "f9,Su", "fD9dG", "H9L$@r", "", "SearchPathW", "cmd.exe", "ERASE", "L$(E3", "fD9t$\"", "_vsnwprintf", ".bss$00", "UVWATAUAVAWH", "resource deadlock would occur", "t$HE3", "fD9/u", "state not recoverable", "fD9$Su", "((((&&(&&&(&(&&&&&&(((#&&###", "!This program cannot be run in DOS mode.", "t!fD9l$ ", "result out of range", "GlobalFree", "fD9d$P", "VarFileInfo", "CMD.EXE", " A_A^A\\", "DeviceIoControl", ".didat$7", "ext-ms-win-branding-winbrand-l1-2-0", "tbD9t$Pu[H", ".CRT$XIZ", "HcD$PM", "wwwwwwww", "no_protocol_option", "Unknown", "HcT$ L", "D;d$@D", "fE9,Wu", "text file busy", "REALTIME", "x UATAVH", "ProductVersion", "GetFileSecurityW", "x ATAUAVH", ".data$pr00", "_initterm", "MKDIR", "_pipe", "%s %s ", "A^A]_", "|$ Hc", "string too long", "fgets", ".CRT$XCU", "MessageBeepStub", "f9/t+", "`A_A^A]A\\_^]", "_fmode", "skip=", ".text$lp01cmd.exe!20_pri7", "fD9 u", "f9", "owner dead", "Cd$@H", "T$XD;{", " /D /c\"", "eIDATx", "ProductName", "wcschr", "f9,Ou", "GetCurrentProcessId", "lext-ms-win-cmd-util-l1-1-0", "SetErrorMode", "UAVAWH", "api-ms-win-core-delayload-l1-1-0.dll", "G0HcW", "L$Xf91t", "api-ms-win-core-delayload-l1-1-1.dll", "T$0E3", ".xdata", "QueryFullProcessImageNameWStub", "f94Ju", "Sh(PO", "FtFfD9", "wwwwwwwwwwwwwwwwwwwww", "d$Ht*E", "protocol not supported", "FileVersion", " Microsoft Corporation. All rights reserved.", "invalid argument", "f9,Cu", "mkdir ", "L$4uFA", "\\$dD9L$T", "network reset", "QueryPerformanceCounter", "already connected", "A_A^A]", "t$0fB", "ext-ms-win-shell-shell32-l1-2-2", "D$0H;", "u3fD;", "fA9<@u", "iostream stream error", "FileTimeToSystemTime", "fB9<{u", "", "fD9,Su", "XXX8Pvh8v", "D8L$\\", "InternalName", "cCBR_p", "Msg:[%ws] ", "t$ WATAUAVAWH", "L$8H3", "D$ fD", "tRfD9", "L$ fD", "HH:mm:ss t", "u\"f90u&H", "GetStartupInfoW", "msvcrt.dll", "GetProcessHeap", "CreateProcessW", "cross device link", "L$XH3", "api-ms-win-core-systemtopology-l1-1-0.dll", "\\$PE3", "8A^_^[", "GetCurrentProcess", "WaitForSingleObject", ".idata$2", "w5tlA", "GetLocaleInfoW", "_errno", "host unreachable", "Fxf9(u-3", "connection_reset", "CMDEXTVERSION", "_amsg_exit", "permission_denied", "H!|$`I", "f9", ">1tUA", ".giats", "fA9", "D$ L+", "fE9,xu", "td@8=", " ", "MoveFileWithProgressW", "DEFINED", "L9%<`", "ext-ms-win-branding-winbrand-l1-1-1", "f9,Hu", "SetConsoleTextAttribute", "@A_A^]", "stream timeout", ".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC", "connection already in progress", "is a directory", "A_A^A\\_^", "NtClose", "not a directory", "DISABLEDELAYEDEXPANSION", "RtlCaptureContext", "GetSecurityDescriptorOwner", "tbfA9", "iostream", "connection_already_in_progress", "f9tQ,u", "m;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\;C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps", "oT$@f", ".idata$6", "wrong protocol type", "$DHcD$PM", "SETLOCAL", "wwwwwwwwwwwwwww", "fE9LE", "Cmd.Exe", ".?AVexception@@", "$DHcD$`H", "|$`E3", "wcstol", "cmd.pdb", "D9|$Pt", "SetThreadUILanguage", "GetDriveTypeW", "1H9wx", "PROMPT", "NtSetInformationFile", "L9N@A", "%hs(%d) tid(%x) %08X %ws", "SUVWATAVAWH", "OutputDebugStringW", "D9|$0", "read only file system", "cG?CCRRRRP`R", "ferror", "fdpnxsatz", "", "RegCloseKey", "CopyFileW", "GetThreadLocale", "uE9\\$", "L9{0t#H", "SetConsoleCursorPosition", "tGD95", "Args: `%s' ", "_unlock", "/w&tV", "@.didat", "#D$D;", "wcstoul", "D9t$p", "CreateSymbolicLinkW", "GetModuleFileNameW", "D8L$ ", "DuplicateHandle", "D8=-u", "t$49\\$Ht&9", "identifier removed", "FormatMessageW", "HcD$`H", "tSL9?", " true", "fF9$Cu", "SetFileAttributesW", "H!|$ L", "Software\\Policies\\Microsoft\\Windows\\System", "System", "tlD8%", "?what@exception@@UEBAPEBDXZ", "@USVWATAUAVAWH", "`A_A^A\\_^][", "L$@E3", "ext-ms-win-cmd-util-l1-1-0.dll", "t,fD92t&I", "InitializeCriticalSection", "IF /?", "fD9$Au", ".data$r$brc", "\\$$E3", "FreeEnvironmentStringsW", "\\$(E3", "OriginalFilename", "9T$0u0", "L$PH3", "api-ms-win-core-console-l2-2-0.dll", "not a stream", "iswalpha", "D9d$P", "api-ms-win-core-processenvironment-l1-2-0.dll", "GetModuleHandleExW", "u*9Q<|%", " version=\"5.1.0.0\"", "memcpy_s", "0A^_^][", "=ExitCode", "api-ms-win-core-console-l2-1-0.dll", "TITLE", "x UAVAWH", "GetLocalTime", " uiAccess=\"false\"", "SVWAVH", "CompanyName", "L$ UVWATAUAVAWH", "f9|$Xvx", "??0exception@@QEAA@AEBV0@@Z", "],//cuu", "address in use", " %x %c", "fD9<{u", "BELOWNORMAL", "SHIFT", "NtSetInformationProcess", "APerformArithmeticOperation: '%c'", "9:uGH9-n", "VWAVH", "ScrollConsoleScreenBufferW", "_tell", "no such device", "H9t$Xt eH", "fA94Ru", "Hct$ ", "RRRRP%", "filename too long", " ", ">/~sA", "fA98u", "L$0H3", "wcsrchr", "Null environment", "file exists", "resource unavailable try again", "0A_A^_", "ppData\\Local\\Temp\\test.bat", " [..]", ".rdata", "RoUninitialize", "RtlFreeUnicodeString", "[%hs(%hs)]", "__dllonexit", "GetFileType", "FindFirstStreamWStub", "RMDIR", "??1type_info@@UEAA@XZ", "%s=%s", "@A_A^A]", "useback", "WriteFile", "WGeToken: (%x) '%s'", "fD9,xu", ")t$@H", "7fD90", "api-ms-win-core-string-l1-1-0.dll", "RENAME", "H9{Hs>H", "p AWH", "FillConsoleOutputCharacterW", "fD99t~D9=+-*/%()|^&=,", " A^_^", "H9D$`", "timed_out", "fD9tG", "Redir: ", "realloc", "@SVAUH", "D$@fD9'", "RtlDisownModuleHeapAllocation", "fD9$Zu", "@USVWATAVAWH", "Sleep", "SystemTimeToFileTime", "prRRRPa", "fE9dw", "t$ WAVAWH", "t$0E;", "FOR /?", ".text", ".idata$3", "L9L$x", "A_A^A\\", "p.=)D", ".CRT$XCAA", "SEPARATE", "HcL$ HcD$$H", "FindClose", "_ultoa", "network unreachable", "f9,Xu", "CreateHardLinkW", "GetConsoleTitleW", "no message available", "GetFileAttributesW", "fB92tFA", "UWAVH", "IDI_APPICON", "%6Ru'", ";l$0u", "RtlFreeHeap", "generic", "BrandingFormatString", "D$l;E", "Microsoft", "L+D$ H+", "GetWindowsDirectoryW", "illegal byte sequence", "GetCurrentThreadId", "HeapAlloc", "SUVWATAUAVAWH", "fD9$Gu", "CHcD$pH", "_open_osfhandle", "onecore\\base\\cmd\\StartShellExecServiceProvider.h", ".didat$2", "fD94yu", "DebugBreak", "_onexit", "fD9,0", "NtOpenFile", "UWAUAVAWH", "t$@E3", "VirtualFree", "@A_A^A]A\\_][", " H3E H3E", "D$8E3", "D9L$l", ".rdata$brc", "%2d%s%02d%s%02d%s%02d", "wcsncmp", "3t)E3", "L$XH+", ".text$lp00cmd.exe!20_pri7", "|$0E3", "WAUAVH", "not enough memory", ".rdata$zzzdbg", "SetConsoleTitleW", "Microsoft Corporation", "9|$Pt!H", "REM/?", ".gfids", ".didat$6", " ", "LegalCopyright", "GetNumaHighestNodeNumber", "T$ H+", "??3@YAXPEAX@Z", "DelayedExpansion", "H9D$x", "040904B0", ".?AVlogic_error@std@@", "RtlVirtualUnwind", "WriteConsoleW", "D$0fD98t", "%hs!%p: ", "ext-ms-win-branding-winbrand-l1-1-2", "LocalFree", "D;S$r", "t$0uKE3", "t$(E3", "_wtol", ".data$brc", "FileDescription", "ExpandEnvironmentStringsW", "formation.txt ", "SetFilePointerEx", "t$HM+", "SetEnvironmentVariableW", "message size", "HeapReAlloc", "fE9<^u", " ", "__iob_func", "fD9,Au", "fE9$@u", "DisableCMD", "fE94Wu", "{ ATAVAWH", "%s %s%s ", "too many symbolic link levels", "DelayLoadFailureHook", "t$0E3", " [...]", "RegDeleteKeyExW", "GetSystemTimeAsFileTime", "wcscmp", "@SUVWAVH", "D$pf9", "destination_address_required", "connection aborted", "FindNextStreamWStub", "|$4fE99", "fD9,Gu", "towlower", "ReadFile", "L$ H+", "UnhandledExceptionFilter", "start information.txtion.txt", "|$pI+", "WideCharToMultiByte", "dd/MM/yy", "HcD$ ", "u+fD9o", "GetModuleFileNameA", "GetThreadGroupAffinity", "@SVWH", "wcsstr", "EXIST", "x UATAUAVAWH", "C0D9s$", "RtlDosPathNameToRelativeNtPathName_U_WithStatus", "fD9,_u", "RtlReleaseRelativeName", "fF9l}", "api-ms-win-core-debug-l1-1-0.dll", "", "NtOpenThreadToken", "Cmd: %s Type: %x ", "", "D$(@P", "WaitForSingleObjectEx", "timed out", ">0tdA", "Software\\Classes", "SetConsoleInputExeNameW", "t$@H9", "RevertToSelf", "fD94Cu", "%d.%d.%05d.%d", "network_down", "RtlLookupFunctionEntry", "_lock", "H!\\$ L", "%04X-%04X", "D9t$<", "FillConsoleOutputAttribute", "fE9,Ft", "GetTickCount", "u%6RRRRRPp", "not_connected", "COLOR", ".rdata$00$brc", "fflush", "l$ VWATAVAWH", "OpenThread", "_callnewh", "SetThreadLocale", "no stream resources", "bad file descriptor", ".bss$zz", "l$ E3", "", "T$8E3", "x ATAVAWH", "fD9#t", "f98tDA", "????????.???", "_setmode", "permission denied", "fD94wu", "@.reloc", "f94Au", ".data$00", "", "fE9,Fu", "@A_A^A]A\\_^[", "@A_A^A]A\\_^]", "api-ms-win-core-memory-l1-1-0.dll", "D$", "invalid seek", ".rsrc$01", "0A_A^A]A\\_^]", ".bss$pr00", "L$ SWH", "%hs(%u)\\%hs!%p: ", "ENABLEEXTENSIONS", "A_A^A]A\\_^][", "api-ms-win-core-console-l1-1-0.dll", "D9t$DtND", "D9%PC", "ext-ms-win-shell-shell32-l1-2-0", "WNetGetConnectionWStub", ".text$yd", "lstrcmpiW", "HcD$pH", "DD$`H", ">3t#A", "fD94Wu", "Exception", "\\XCOPY.EXE", "fD9,Wu", "AfD9!u", "A_A^_", "no lock available", "GetStdHandle", "memcpy", "fD9", "GetEnvironmentStringsW", "fD9$nu", "RegEnumKeyExW", "RtlFindLeastSignificantBit", "LookupAccountSidWStub", ".pdata", "t$ WH", "8\\utH", "not supported", "memcmp", "fD9|F0u", "AutoRun", "AFFINITY", "MoveFileExW", "D95lB", "invalid string position", "f90u&H", "fD94{u", "D$ E3", "TerminateProcess", "LogHr", "D8L$iL", "no message", "api-ms-win-core-winrt-l1-1-0.dll", "|$ AVH", "api-ms-win-core-handle-l1-1-0.dll", "??0exception@@QEAA@AEBQEBDH@Z", "EnterCriticalSection", "_pclose", "t4f93t/H", "10.0.19041.746", "RegSetValueExW", "D9l$d", "no space on device", "@8=D!", "api-ms-win-core-file-l1-1-0.dll", "fD9tC", "Ungetting: '%s'", "chdir ", "_dup2", "fD94Bu", ">;u\\D", "nWindows Command Processor", "f;0u>H", "A_A^A]A\\_", "tBD9t$pu;H", "RANDOM", "fE9DE", "t$ UWATAVAWH", "(%s) %s ", "SHARED", "SetConsoleMode", "fD94Hu", "no link", "fD94~u", "u0D9d$ ", "L95NW", " true", "InitializeProcThreadAttributeList", "GetFileSize", "_wpopen", "CloseHandle", "SetEnvironmentStringsW", "UVWAVAWH", "api-ms-win-core-heap-l2-1-0.dll", "t~fA;", "CHDIR", " /K %s", "fD9tfI", "NtFsControlFile", "PATHEXT", " A_A^A]A\\_^]", "L$@fA", ".data$dk00$brc", "ext-ms-win-shell-shell32-l1-2-1", "fD9l$ ", "CmdBatNotificationStub", "D8L$h", "Se%ae`", "f9,Su", "fD9dG", "H9L$@r", "", "SearchPathW", "cmd.exe", "C:\\Windows\\system32\\cmd.exe", "ERASE", "L$(E3", "fD9t$\"", "_vsnwprintf", ".bss$00", "UVWATAUAVAWH", "resource deadlock would occur", "t$HE3", "fD9/u", "state not recoverable", "fD9$Su", "((((&&(&&&(&(&&&&&&(((#&&###", "!This program cannot be run in DOS mode.", "t!fD9l$ ", "result out of range", "GlobalFree", "fD9d$P", "VarFileInfo", "CMD.EXE", " A_A^A\\", "DeviceIoControl", ".didat$7", "ext-ms-win-branding-winbrand-l1-2-0", "tbD9t$Pu[H", ".CRT$XIZ", "HcD$PM", "wwwwwwww", "no_protocol_option", "Unknown", "HcT$ L", "D;d$@D", "fE9,Wu", "text file busy", "REALTIME", "x UATAVH", "ProductVersion", "GetFileSecurityW", "x ATAUAVH", ".data$pr00", "_initterm", "MKDIR", "_pipe", "%s %s ", "A^A]_", "|$ Hc", "string too long", "fgets", ".CRT$XCU", "MessageBeepStub", "f9/t+", "`A_A^A]A\\_^]", "_fmode", "skip=", ".text$lp01cmd.exe!20_pri7", "fD9 u", "f9", "owner dead", "Cd$@H", "T$XD;{", " /D /c\"", "eIDATx", "ProductName", "wcschr", "f9,Ou", "GetCurrentProcessId", "lext-ms-win-cmd-util-l1-1-0", "SetErrorMode", "UAVAWH", "api-ms-win-core-delayload-l1-1-0.dll", "G0HcW", "L$Xf91t", "api-ms-win-core-delayload-l1-1-1.dll", "T$0E3", ".xdata", "QueryFullProcessImageNameWStub", "f94Ju", "Sh(PO", "FtFfD9", "wwwwwwwwwwwwwwwwwwwww", "d$Ht*E", "E;.JS;.JSE;.WSF;.WSH;.MSC", "protocol not supported", "FileVersion", " Microsoft Corporation. All rights reserved.", "invalid argument", "f9,Cu", "mkdir ", "L$4uFA", "\\$dD9L$T", "network reset", "QueryPerformanceCounter", "already connected", "A_A^A]", "t$0fB", "ext-ms-win-shell-shell32-l1-2-2", "D$0H;", "u3fD;", "fA9<@u", "iostream stream error", "FileTimeToSystemTime", "fB9<{u", "", "fD9,Su", "XXX8Pvh8v", "D8L$\\", "InternalName", "cCBR_p", "Msg:[%ws] ", "t$ WATAUAVAWH", "L$8H3", "D$ fD", "tRfD9", "L$ fD", "HH:mm:ss t", "u\"f90u&H", "GetStartupInfoW", "msvcrt.dll", "GetProcessHeap", "CreateProcessW", "cross device link", "L$XH3", "api-ms-win-core-systemtopology-l1-1-0.dll", "\\$PE3", "8A^_^[", "GetCurrentProcess", "WaitForSingleObject", ".idata$2", "w5tlA", "GetLocaleInfoW", "_errno", "host unreachable", "Fxf9(u-3", "connection_reset", "CMDEXTVERSION", "_amsg_exit", "permission_denied", "H!|$`I", "f9", ">1tUA", ".giats", "fA9", "D$ L+", "fE9,xu", "td@8=", " ", "MoveFileWithProgressW", "DEFINED", "L9%<`", "ext-ms-win-branding-winbrand-l1-1-1", "f9,Hu", "SetConsoleTextAttribute", "@A_A^]", "stream timeout", ".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC", "connection already in progress", "is a directory", "A_A^A\\_^", "NtClose", "not a directory", "DISABLEDELAYEDEXPANSION", "RtlCaptureContext", "GetSecurityDescriptorOwner", "tbfA9", "iostream", "connection_already_in_progress", "f9tQ,u", "m;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\Scripts\\;C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\\;C:\\Users\\Rajesh\\AppData\\Local\\Microsoft\\WindowsApps", "oT$@f", ".idata$6", "wrong protocol type", "$DHcD$PM", "SETLOCAL", "wwwwwwwwwwwwwww", "fE9LE", "Cmd.Exe", ".?AVexception@@", "$DHcD$`H", "|$`E3", "wcstol", "cmd.pdb", "D9|$Pt", "SetThreadUILanguage", "GetDriveTypeW", "1H9wx", "PROMPT", "NtSetInformationFile", "L9N@A", "%hs(%d) tid(%x) %08X %ws", "SUVWATAVAWH", "OutputDebugStringW", "D9|$0", "read only file system", "cG?CCRRRRP`R", "ferror", "fdpnxsatz", "", "RegCloseKey", "CopyFileW", "GetThreadLocale", "uE9\\$", "L9{0t#H", "SetConsoleCursorPosition", "tGD95", "Args: `%s' ", "_unlock", "/w&tV", "@.didat", "#D$D;", "wcstoul", "D9t$p", "CreateSymbolicLinkW", "GetModuleFileNameW", "D8L$ ", "DuplicateHandle", "D8=-u", "t$49\\$Ht&9", "identifier removed", "FormatMessageW", "HcD$`H", "tSL9?", " true", "fF9$Cu", "wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"", "SetFileAttributesW", "H!|$ L", "Software\\Policies\\Microsoft\\Windows\\System", "System", "tlD8%", "?what@exception@@UEBAPEBDXZ", "@USVWATAUAVAWH", "`A_A^A\\_^][", "L$@E3", "ext-ms-win-cmd-util-l1-1-0.dll", "t,fD92t&I", "InitializeCriticalSection", "IF /?", "fD9$Au", ".data$r$brc", "\\$$E3", "FreeEnvironmentStringsW", "\\$(E3", "OriginalFilename", "9T$0u0", "L$PH3", "api-ms-win-core-console-l2-2-0.dll", "not a stream", "iswalpha", "D9d$P", "api-ms-win-core-processenvironment-l1-2-0.dll", "GetModuleHandleExW", "u*9Q<|%", " version=\"5.1.0.0\"", "memcpy_s", "0A^_^][", "=ExitCode", "api-ms-win-core-console-l2-1-0.dll", "TITLE", "x UAVAWH", "GetLocalTime", " uiAccess=\"false\"", "SVWAVH", "CompanyName", "L$ UVWATAUAVAWH", "f9|$Xvx", "??0exception@@QEAA@AEBV0@@Z", "],//cuu", "address in use", " %x %c", "fD9<{u", "BELOWNORMAL", "SHIFT", "NtSetInformationProcess", "APerformArithmeticOperation: '%c'", "9:uGH9-n", "VWAVH", "ScrollConsoleScreenBufferW", "_tell", "no such device", "H9t$Xt eH", "fA94Ru", "Hct$ ", "RRRRP%", "filename too long", " ", ">/~sA", "fA98u", "L$0H3", "wcsrchr", "Null environment", "file exists", "resource unavailable try again", "0A_A^_", " [..]", ".rdata", "RoUninitialize", "RtlFreeUnicodeString", "[%hs(%hs)]", "__dllonexit", "GetFileType", "FindFirstStreamWStub", "RMDIR", "??1type_info@@UEAA@XZ", "%s=%s", "@A_A^A]", "useback", "WriteFile", "WGeToken: (%x) '%s'", "fD9,xu", ")t$@H", "7fD90", "api-ms-win-core-string-l1-1-0.dll", "RENAME", "H9{Hs>H", "p AWH", "FillConsoleOutputCharacterW", "fD99t~D9=+-*/%()|^&=,", " A^_^", "H9D$`", "timed_out", "fD9tG", "Redir: ", "realloc", "@SVAUH", "D$@fD9'", "RtlDisownModuleHeapAllocation", "fD9$Zu", "@USVWATAVAWH", "Sleep", "SystemTimeToFileTime", "prRRRPa", "fE9dw", "t$ WAVAWH", "t$0E;", "FOR /?", ".text", ".idata$3", "L9L$x", "A_A^A\\", ".CRT$XCAA", "SEPARATE", "HcL$ HcD$$H", "FindClose", "_ultoa", "network unreachable", "f9,Xu", "CreateHardLinkW", "GetConsoleTitleW", "no message available", "GetFileAttributesW", "fB92tFA", "UWAVH", "IDI_APPICON", "%6Ru'", ";l$0u", "RtlFreeHeap", "generic", "BrandingFormatString", "D$l;E", "Microsoft", "L+D$ H+", "GetWindowsDirectoryW", "illegal byte sequence", "GetCurrentThreadId", "HeapAlloc", "SUVWATAUAVAWH", "fD9$Gu", "CHcD$pH", "_open_osfhandle", "onecore\\base\\cmd\\StartShellExecServiceProvider.h", ".didat$2", "fD94yu", "DebugBreak", "_onexit", "fD9,0", "NtOpenFile", "UWAUAVAWH", "t$@E3", "VirtualFree", "@A_A^A]A\\_][", " H3E H3E", "D$8E3", "D9L$l", ".rdata$brc", "%2d%s%02d%s%02d%s%02d", "wcsncmp", "3t)E3", "L$XH+", ".text$lp00cmd.exe!20_pri7", "|$0E3", "WAUAVH", "not enough memory", ".rdata$zzzdbg", "SetConsoleTitleW", "Microsoft Corporation", "9|$Pt!H", "REM/?", ".gfids", ".didat$6", " ", "LegalCopyright", "GetNumaHighestNodeNumber", "T$ H+", "??3@YAXPEAX@Z", "DelayedExpansion", "H9D$x", "040904B0", ".?AVlogic_error@std@@", "RtlVirtualUnwind", "WriteConsoleW", "D$0fD98t", "%hs!%p: ", "ext-ms-win-branding-winbrand-l1-1-2", "LocalFree", "D;S$r", "t$0uKE3", "t$(E3", "_wtol", ".data$brc", "FileDescription", "ExpandEnvironmentStringsW", "SetFilePointerEx", "t$HM+", "SetEnvironmentVariableW", "message size", "HeapReAlloc", "fE9<^u", " ", "__iob_func", "fD9,Au", "fE9$@u", "DisableCMD", "fE94Wu", "{ ATAVAWH", "%s %s%s ", "too many symbolic link levels", "DelayLoadFailureHook", "t$0E3", " [...]", "RegDeleteKeyExW", "GetSystemTimeAsFileTime", "wcscmp", "@SUVWAVH", "D$pf9", "destination_address_required", "connection aborted", "FindNextStreamWStub", "|$4fE99", "fD9,Gu", "towlower", "ReadFile", "L$ H+", "UnhandledExceptionFilter", "|$pI+", "WideCharToMultiByte", "dd/MM/yy", "HcD$ ", "u+fD9o", "GetModuleFileNameA", "GetThreadGroupAffinity", "@SVWH", "wcsstr", "EXIST", "x UATAUAVAWH", "C0D9s$", "RtlDosPathNameToRelativeNtPathName_U_WithStatus", "fD9,_u", "RtlReleaseRelativeName", "fF9l}", "api-ms-win-core-debug-l1-1-0.dll", "", "NtOpenThreadToken", "Cmd: %s Type: %x ", "", "D$(@P", "WaitForSingleObjectEx", "timed out", ">0tdA", "Software\\Classes", "SetConsoleInputExeNameW", "t$@H9", "RevertToSelf", "fD94Cu", "%d.%d.%05d.%d", "network_down", "RtlLookupFunctionEntry", "_lock", "H!\\$ L", "%04X-%04X", "D9t$<", "FillConsoleOutputAttribute", "fE9,Ft", "GetTickCount", "u%6RRRRRPp", "not_connected", "COLOR", ".rdata$00$brc", "fflush", "l$ VWATAVAWH", "OpenThread", "_callnewh", "SetThreadLocale", "no stream resources", "bad file descriptor", ".bss$zz", "l$ E3", "", "T$8E3", "x ATAVAWH", "fD9#t", "f98tDA", "????????.???", "_setmode", "permission denied", "fD94wu", "@.reloc", "f94Au", ".data$00", "", "fE9,Fu", "@A_A^A]A\\_^[", "@A_A^A]A\\_^]", "api-ms-win-core-memory-l1-1-0.dll", "D$", "invalid seek", ".rsrc$01", "0A_A^A]A\\_^]", ".bss$pr00", "L$ SWH", "%hs(%u)\\%hs!%p: ", "ENABLEEXTENSIONS", "A_A^A]A\\_^][", "api-ms-win-core-console-l1-1-0.dll", "D9t$DtND", "D9%PC", "ext-ms-win-shell-shell32-l1-2-0", "WNetGetConnectionWStub", ".text$yd", "lstrcmpiW", "HcD$pH", "DD$`H", ">3t#A", "fD94Wu", "Exception", "\\XCOPY.EXE", "fD9,Wu", "AfD9!u", "A_A^_", "no lock available", "GetStdHandle", "memcpy", "fD9)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-28 21:56:14,878", "thread_id": "4448", "caller": "0x7ff79a46208a", "parentcaller": "0x7ff79a45980b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "15" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-28 21:56:14,878", "thread_id": "4448", "caller": "0x7ff79a46208a", "parentcaller": "0x7ff79a45980b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-28 21:56:14,878", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acd7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-28 21:56:14,878", "thread_id": "4448", "caller": "0x7ff79a462784", "parentcaller": "0x7ff79a4604ae", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-28 21:56:14,878", "thread_id": "4448", "caller": "0x7ff79a4604da", "parentcaller": "0x7ff79a45ce8d", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 124 }, { "timestamp": "2026-06-28 21:56:14,878", "thread_id": "4448", "caller": "0x7ff79a460099", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "Buffer", "value": "systeminfo > information.txt\r\nstart information.txt" }, { "name": "Length", "value": "51" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-28 21:56:14,894", "thread_id": "4448", "caller": "0x7ff79a46014f", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 4, "id": 126 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a45cec6", "parentcaller": "0x7ff79a459826", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00(\\xe9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "\r\n" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c631000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00X\\xe9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a47c6ce", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp>" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x10\\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a4779d6", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "systeminfo" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xebO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xe8\\xebO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": " " } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xebO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb8\\xebO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "1>" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xebO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb8\\xebO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "information.txt " } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00(\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "\r\n" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c642000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c652000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\systeminfo.*" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244293e28a0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\systeminfo.*" }, { "name": "FirstCreateTimeLow", "value": "0x1543d8cf" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acde" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463a5d", "parentcaller": "0x7ff79a462fe0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\systeminfo.COM" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244293e2960", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\systeminfo.EXE" }, { "name": "FirstCreateTimeLow", "value": "0x1543d8cf" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acde" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463a5d", "parentcaller": "0x7ff79a462fe0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a461170", "parentcaller": "0x7ff79a45d1de", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a461170", "parentcaller": "0x7ff79a45d1de", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acd7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a460243", "parentcaller": "0x7ff79a45b25e", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xe9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xe9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a45b00b", "parentcaller": "0x7ff79a45b26d", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000060" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000218" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a45b280", "parentcaller": "0x7ff79a45bf16", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000060" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a462784", "parentcaller": "0x7ff79a45b2b1", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "DesiredAccess", "value": "0x40100080", "pretty_value": "GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "CreateDisposition", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a45b2fe", "parentcaller": "0x7ff79a45bf16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a45bea1", "parentcaller": "0x7ff79a45cffc", "category": "system", "api": "FindFixAndRun", "status": true, "return": "0x00000000", "arguments": [ { "name": "Command", "value": "systeminfo" }, { "name": "Arguments", "value": " " } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a45c665", "parentcaller": "0x7ff79a45bea1", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe7O+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8\\xe7O+\\xae\\x00\\x00\\x00\\x08\\x02\\x00\\x00D\\x02\\x00\\x00\\xf0\\xeaO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c662000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a45cdc4", "parentcaller": "0x7ff79a460c97", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x24429429000" }, { "name": "RegionSize", "value": "0x00020000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\systeminfo.*" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244293e2c00", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\systeminfo.*" }, { "name": "FirstCreateTimeLow", "value": "0x1543d8cf" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acde" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463a5d", "parentcaller": "0x7ff79a462fe0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\systeminfo.COM" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244293e2180", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\systeminfo.EXE" }, { "name": "FirstCreateTimeLow", "value": "0x1543d8cf" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acde" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-28 21:56:14,910", "thread_id": "4448", "caller": "0x7ff79a463a5d", "parentcaller": "0x7ff79a462fe0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a465b59", "parentcaller": "0x7ff79a45c9bd", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xe5O+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xe5O+\\xae\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00p\\xe6O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a4642de", "parentcaller": "0x7ff79a465b7f", "category": "process", "api": "UpdateProcThreadAttribute", "status": false, "return": "0x00000001", "arguments": [ { "name": "Attribute", "value": "393217" }, { "name": "Value", "value": "3120963755442176001" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000090" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa3d0000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3da190" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3efe60" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000021c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000021c" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c700000" }, { "name": "SectionOffset", "value": "0xae2b4fdf30" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000021c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000021c" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464408", "parentcaller": "0x7ff79a465b7f", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000021c" }, { "name": "ValueName", "value": "en" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a465aa5", "parentcaller": "0x7ff79a46441a", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xe3O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00D\\x02\\x00\\x00\\xa8\\xe3O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a46441a", "parentcaller": "0x7ff79a465b7f", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x91\\x0e\\x02\\x02\\xd0\\xe3O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00\\xd8\\xe3O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000022c" }, { "name": "ThreadHandle", "value": "0x00000214" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\systeminfo.exe" }, { "name": "CommandLine", "value": "systeminfo " }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "4468" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-28 21:56:14,925", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\Wldp" }, { "name": "DllBase", "value": "0x7ff9a7a90000" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-28 21:56:14,941", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-28 21:56:14,941", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SHCORE" }, { "name": "DllBase", "value": "0x7ff9a9d30000" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-28 21:56:14,941", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-28 21:56:14,941", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 192 }, { "timestamp": "2026-06-28 21:56:14,972", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-28 21:56:15,003", "thread_id": "4448", "caller": "0x7ff79a464486", "parentcaller": "0x7ff79a465b7f", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\systeminfo.exe" }, { "name": "CommandLine", "value": "systeminfo " }, { "name": "CreationFlags", "value": "0x00080000", "pretty_value": "EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "4468" }, { "name": "ThreadId", "value": "1140" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x0000022c" }, { "name": "ThreadHandle", "value": "0x00000214" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 194 }, { "timestamp": "2026-06-28 21:56:15,003", "thread_id": "4448", "caller": "0x7ff79a4644b1", "parentcaller": "0x7ff79a465b7f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-28 21:56:15,003", "thread_id": "4448", "caller": "0x7ff79a465cd2", "parentcaller": "0x7ff79a464517", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-28 21:56:23,847", "thread_id": "4448", "caller": "0x7ff79a465d0a", "parentcaller": "0x7ff79a464517", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-28 21:56:23,847", "thread_id": "4448", "caller": "0x7ff79a46857e", "parentcaller": "0x7ff79a45c9c9", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00020000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-28 21:56:23,847", "thread_id": "4448", "caller": "0x7ff79a46857e", "parentcaller": "0x7ff79a45c9c9", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acdc000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-28 21:56:23,847", "thread_id": "4448", "caller": "0x7ff79a45b054", "parentcaller": "0x7ff79a45afc9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000060" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45b054", "parentcaller": "0x7ff79a45afc9", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000218" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000060" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45afd1", "parentcaller": "0x7ff79a45bf0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4605a5", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00p\\xedO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xedO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4605cc", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x003\\xac\\x00\\x00\\x98\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4606a0", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xedO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xedO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a46060c", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x003\\xac\\x00\\x00\\x98\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a46064e", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xedO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xedO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45d00a", "parentcaller": "0x7ff79a459826", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xecO+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45d02f", "parentcaller": "0x7ff79a459826", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeaO+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x08\\xeaO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45d04b", "parentcaller": "0x7ff79a459826", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00020000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45d04b", "parentcaller": "0x7ff79a459826", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c641000" }, { "name": "RegionSize", "value": "0x00030000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a462784", "parentcaller": "0x7ff79a4604ae", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4604da", "parentcaller": "0x7ff79a45ce8d", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45dfd3", "parentcaller": "0x7ff79a45ceaa", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442941b000" }, { "name": "RegionSize", "value": "0x0002d000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45dfd3", "parentcaller": "0x7ff79a45ceaa", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x24429406000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45dfd3", "parentcaller": "0x7ff79a45ceaa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x24429406000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a46004c", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 217 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a460099", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "Buffer", "value": "start information.txt" }, { "name": "Length", "value": "21" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a46004c", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "3\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 219 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a460099", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtReadFile", "status": false, "return": "0xffffffffc0000011", "pretty_return": "END_OF_FILE", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "Buffer", "value": "" }, { "name": "Length", "value": "0" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45fb34", "parentcaller": "0x7ff79a45f50b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "8\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45fb34", "parentcaller": "0x7ff79a45f50b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "3\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 222 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45cec6", "parentcaller": "0x7ff79a459826", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00(\\xe9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "\r\n" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00X\\xe9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a47c6ce", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp>" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x10\\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a4779d6", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "start" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xebO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xe8\\xebO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": " information.txt " } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00(\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "\r\n" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c641000" }, { "name": "RegionSize", "value": "0x00030000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45bea1", "parentcaller": "0x7ff79a45cffc", "category": "system", "api": "FindFixAndRun", "status": true, "return": "0x00000000", "arguments": [ { "name": "Command", "value": "start" }, { "name": "Arguments", "value": " information.txt" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45c665", "parentcaller": "0x7ff79a45bea1", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe7O+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8\\xe7O+\\xae\\x00\\x00\\x00\\x08\\x02\\x00\\x00D\\x02\\x00\\x00\\xf0\\xeaO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acd7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c672000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c677000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c67c000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c681000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c686000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c68b000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a45cdc4", "parentcaller": "0x7ff79a460c97", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442941b000" }, { "name": "RegionSize", "value": "0x0002d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244293e2900", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "FirstCreateTimeLow", "value": "0xf0c08d74" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a463a5d", "parentcaller": "0x7ff79a462fe0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-28 21:56:23,894", "thread_id": "4448", "caller": "0x7ff79a456019", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "UpdateProcThreadAttribute", "status": false, "return": "0x00000001", "arguments": [ { "name": "Attribute", "value": "393217" }, { "name": "Value", "value": "309237645313" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45608f", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtCreateUserProcess", "status": false, "return": "0xffffffffc000012f", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "CommandLine", "value": "information.txt " }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45608f", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "CreateProcessInternalW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ApplicationName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "CommandLine", "value": "information.txt " }, { "name": "CreationFlags", "value": "0x00080410", "pretty_value": "CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "0" }, { "name": "ThreadId", "value": "0" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 249 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000214" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000234" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a603f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-28 21:56:23,910", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "InitRoutine", "value": "0x7ff9a6033f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000284" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000284" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-28 21:56:23,972", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000288" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000288" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "e\\x04i&Sx\\xd6\\xc4\\xf4\\xe6E\\xc8\\xb5^\\x01\\xbd\\xe1\"\\xe5\\x13\\xc5\\x92\\xc1\\x04?s\\xd6V\\x87N\\xf6\\xc0\\xf1spnP\\xe1F)\\x1d\\xfd\\xfd#\\x82\\xb1\\xa6\\xcb" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-28 21:56:24,019", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a5b50000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a5b50000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a5b57ce0" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xd3O+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-28 21:56:24,066", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000294" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000290" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-28 21:56:24,082", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-28 21:56:24,082", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-28 21:56:24,082", "thread_id": "4448", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-28 21:56:24,082", "thread_id": "4448", "caller": "0x7ff79a456649", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xe0O+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x98\\xe0O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-28 21:56:24,097", "thread_id": "4448", "caller": "0x7ff79a465aa5", "parentcaller": "0x7ff79a456686", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xe0O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe0O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-28 21:56:24,097", "thread_id": "4448", "caller": "0x7ff79a456686", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00\\xd0\\xe0O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xd8\\xe0O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-28 21:56:24,097", "thread_id": "4448", "caller": "0x7ff79a4566b7", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x90\\xe0O+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xe0O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-28 21:56:24,097", "thread_id": "4448", "caller": "0x7ff79a468b32", "parentcaller": "0x7ff79a4699d7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff79a4ac000" }, { "name": "ModuleName", "value": "cmd.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-28 21:56:24,097", "thread_id": "4448", "caller": "0x7ff79a468b32", "parentcaller": "0x7ff79a4699d7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff79a4ac000" }, { "name": "ModuleName", "value": "cmd.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-28 21:56:24,113", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32" }, { "name": "DllBase", "value": "0x7ff994050000" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-28 21:56:24,175", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 1, "id": 319 }, { "timestamp": "2026-06-28 21:56:24,191", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\PROPSYS" }, { "name": "DllBase", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-28 21:56:24,285", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-28 21:56:24,300", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "BaseAddress", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-28 21:56:24,300", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 323 }, { "timestamp": "2026-06-28 21:56:24,316", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 8, "id": 324 }, { "timestamp": "2026-06-28 21:56:24,316", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\profapi" }, { "name": "DllBase", "value": "0x7ff9a8050000" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-28 21:56:24,347", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 10, "id": 326 }, { "timestamp": "2026-06-28 21:56:24,347", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.Storage.dll" }, { "name": "BaseAddress", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-28 21:56:24,347", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0E5AAE11-A475-4C5B-AB00-C66DE400274E" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ADD8BA80-002B-11D0-8F0F-00C04FD7D062" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-28 21:56:24,363", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-28 21:56:24,363", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "76765B11-3F95-4AF2-AC9D-EA55D8994F1A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-28 21:56:24,378", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "BaseAddress", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-28 21:56:24,378", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4DF0C730-DF9D-4AE3-9153-AA6B82E9795A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8BE2D872-86AA-4D47-B776-32CCA40C7018" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 13, "id": 333 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xea\\xbf+\\xae\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xea\\xbf+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 4, "id": 335 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x244293c0b50" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aaaae327", "parentcaller": "0x7ff9aaa0faf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aaa05157", "parentcaller": "0x7ff9aaa043ea", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CFGMGR32.dll" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aaa04d42", "parentcaller": "0x7ff9aaa04aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8110000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0004e000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aa9ffee4", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a815b000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aa9fffb5", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aa9fffed", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aaa00068", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aaa0009c", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-28 21:56:24,457", "thread_id": "5340", "caller": "0x7ff9aaa05082", "parentcaller": "0x7ff9aaa079d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8148000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9aaa04485", "parentcaller": "0x7ff9aaa5b1dd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9aaa37b9c", "parentcaller": "0x7ff9aaa2288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8148000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9aaa37b9c", "parentcaller": "0x7ff9aaa2288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CFGMGR32" }, { "name": "DllBase", "value": "0x7ff9a8110000" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 5, "id": 349 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8114cdf", "parentcaller": "0x7ff9a8123b0d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\DeviceApi\\CMApi" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8114cdf", "parentcaller": "0x7ff9a8123b0d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\cfgmgr32" }, { "name": "BaseAddress", "value": "0x7ff9a8110000" }, { "name": "InitRoutine", "value": "0x7ff9a8123280" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a699a000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a699a000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9aa3e5611", "parentcaller": "0x7ff9a811f8f8", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003ac" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "(\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00#\\x00\\x00\\xc0\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9aa3e5611", "parentcaller": "0x7ff9a811ec21", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003ac" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "(\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a638acb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000003c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003c8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9aaa4ea52", "parentcaller": "0x7ff9aaa077c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\edputil" }, { "name": "DllBase", "value": "0x7ff993730000" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf2\\xcf+\\xae\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xf2\\xcf+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x244293c0b50" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9a63ca6d1", "parentcaller": "0x7ff9a63b12d5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a638ad1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845ef7c", "parentcaller": "0x7ff9a845eb19", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 366 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845f960", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000220" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845f984", "parentcaller": "0x7ff9a845eb81", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000220" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c4" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "name": "Handle", "value": "0x00000398" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xc4\\xd8c\\xf2\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000398" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000398" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "name": "Handle", "value": "0x000003c4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a638acb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000003c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000398" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a63b139f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9a63ca6d1", "parentcaller": "0x7ff9a63b12d5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#0000000003300000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a638ad1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a63b139f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000398" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000398" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x000003c4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00o\\xb6d\\x1c\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000003c4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c4" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000398" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a638acb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000398" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003c4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9a63ca6d1", "parentcaller": "0x7ff9a63b12d5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#00000008E0100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a638ad1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5348", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a63b139f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000398" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000398" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "name": "Handle", "value": "0x000003cc" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xd9T\\x98P\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x008\\x00E\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000003cc" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003cc" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "name": "Handle", "value": "0x00000398" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003cc" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474f8d", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474f8d", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a6361f1d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a6362e6f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\xb7D)D\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a6361f41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x00e\\x000\\x000\\x008\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000398" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x00e\\x000\\x000\\x008\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000003d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2442943d6a0" }, { "name": "CreateFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "5356" }, { "name": "ProcessId", "value": "2108" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5356", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xec\\xdf+\\xae\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xec\\xdf+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5356", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5356", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2442943d6a0" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5340", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000003f4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a9d45960" }, { "name": "Parameter", "value": "0x2442acdce40" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "5360" }, { "name": "ProcessId", "value": "2108" }, { "name": "Module", "value": "SHCORE.dll" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xef\\xef+\\xae\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xef\\xef+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a9d45960" }, { "name": "Parameter", "value": "0x2442acdce40" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a8498cfe", "parentcaller": "0x7ff9a9d79042", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0004+\\xae\\x00\\x00\\x00<\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5360" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x24429457000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a9777d31", "parentcaller": "0x7ff9a972de55", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\WindowsRuntime" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a972ddb2", "parentcaller": "0x7ff9a972d0f2", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000408" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000404" }, { "name": "ObjectAttributesName", "value": "ActivatableClassId" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a97708cd", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000408" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.FileTypeAssociation" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a9770927", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000040c" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00h\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00F\\x00i\\x00l\\x00e\\x00T\\x00y\\x00p\\x00e\\x00A\\x00s\\x00s\\x00o\\x00c\\x00i\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\x19\\x01\\x02\\x00D\\x02\\x00\\x00uB\\x04Z\\xff8f?\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\xfff8\\xffec\\xffef+\\xffae\\x00\\x00\\x00\\xffe5M\\x04Z\\xff8f?\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xff85E)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00@\\x1bD)D\\x02\\x00\\x00@\\xffed\\xffef+\\xffae\\x00\\x00\\x00\\xffa4L\\xffa2\\xff86\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffcd$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\xffe8#\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00@\\x1bD)D\\x02\\x00\\x00\\xffc8\\xffd5\\xffc4\\xff86\\xfff9\\x7f\\x00\\x00\\x19\\x01\\x02\\x00D\\x02\\x00\\x00\\xff98$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xff80$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x000\\xffed\\xffef+\\xffae\\x00\\x00\\x00h\\xffd9\\xffc4\\xff86\\xfff9\\x7f\\x00\\x00@\\xffed\\xffef+\\xffae\\x00\\x00\\x00\\xff90\\x1aD)D\\x02\\x00\\x00\\xffc0\\xffddr\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00\\xffc0\\xffee\\xffef+\\xffae\\x00\\x00\\x00@\\x1bD)D\\x02\\x00\\x00@\\xff85E)D\\x02\\x00\\x000hC)D\\x02\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x00\\xffac\\x1aD)D\\x02\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x000\\xffed\\xffef+\\xffae\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffccC)D\\x02\\x00\\x00\\xfff2\\xffd0r\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a97356ac", "parentcaller": "0x7ff9a979b1b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000040c" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\CustomAttributes" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-28 21:56:24,472", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a975e0c4", "parentcaller": "0x7ff9aaa338b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE\\Diagnosis" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a972ddb2", "parentcaller": "0x7ff9a972d0f2", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000410" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000404" }, { "name": "ObjectAttributesName", "value": "Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a97708cd", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000414" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000410" }, { "name": "ObjectAttributesName", "value": "StateRepository" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a9770927", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000414" }, { "name": "KeyInformation", "value": "\\xffcek|\\xffd3\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00\\x00\\x00\\x04\\xfff4\n+D\\x02\\x00\\x000\\x19\\xffd0\\xff86\\xfff9\\x7f\\x00\\x00\\xffb2\\xffddr\\xffa9\\xfff9\\x7f\\x00\\x00\\xffe9N\\xffa0\\xff86\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd9\\xffe8\\xffef+\\xffae\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00\\xffa0\\x14\\x1f)D\\x02\\x00\\x00\\xff85N\\x04Z\\xff8f?\\x00\\x00\\x00\\x00\\x1f)D\\x02\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00H\\xffe9\\xffef+\\xffae\\x00\\x00\\x005H\\x04Z\\xff8f?\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff9c\\x1bD)D\\x02\\x00\\x00\\xff98\\xff91A)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\xffd0\\xff87A)D\\x02\\x00\\x00\\xff90\\xffe9\\xffef+\\xffae\\x00\\x00\\x00\\xffa4L\\xffa2\\xff86\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffcd$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\xffe8#\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\xffd0\\xff87A)D\\x02\\x00\\x00\\xffc8\\xffd5\\xffc4\\xff86\\xfff9\\x7f\\x00\\x00\\x19\\x01\\x02\\x00D\\x02\\x00\\x00\\xff98$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xff80$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\xff80\\xffe9\\xffef+\\xffae\\x00\\x00\\x00h\\xffd9\\xffc4\\xff86\\xfff9\\x7f\\x00\\x00\\xff90\\xffe9\\xffef+\\xffae\\x00\\x00\\x00\\xffa0\\xffd7C)D\\x02\\x00\\x00\\xffc0\\xffddr\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00\\xff90\\xffeb\\xffef+\\xffae\\x00\\x00\\x00\\xffd0\\xff87A)D\\x02\\x00\\x00\\xfff0\\x7fA)D\\x02\\x00\\x00\\xffa0\\xffd7C)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xffae\\x00\\x00\\x00\\x0c\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\xffbc\\xffd7C)D\\x02\\x00\\x000\\x00\\x00\\x00D\\x02\\x00\\x00\\x04\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe9\\xffef+\\xffae\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffcfC)D\\x02\\x00\\x00\\xfff2\\xffd0r\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "ExePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "CommandLine" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "IdentityType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Type", "value": "0x7ff900000003" }, { "name": "DataLength", "value": "184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Data", "value": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a9789d40", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "ActivatableClasses" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "ServerType" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "AppId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "Identity" }, { "name": "Data", "value": "nt authority\\system" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "ServiceName" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "ExplicitPsmActivationType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a97356ac", "parentcaller": "0x7ff9a979b1b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000414" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a976ab76", "parentcaller": "0x7ff9a976f113", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a976ab76", "parentcaller": "0x7ff9a976f113", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000418" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a9c32140", "parentcaller": "0x7ff9a9c31ddd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442945a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442945b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a96cfb64", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb82", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoGetMarshalSizeMax" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9760fc0" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb9f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbbc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbd9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442945e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a96d879f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000420" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a84646e4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c2e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8462338", "parentcaller": "0x7ff9a84a9215", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8464b01", "parentcaller": "0x7ff9a84642d1", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 497 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a8464cf6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a8464c2a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442cae0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8464cad", "parentcaller": "0x7ff9a8464c5d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978516f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785199", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851c3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9747c50" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851ed", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785217", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785241", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96dc030" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978526b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a978507f", "parentcaller": "0x7ff9aaa338b0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000042a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000042e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x24429460000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-28 21:56:24,488", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xbc\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x90\\xbd\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000042a" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000042e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xbb\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00 \\xbc\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xbb\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00 \\xbc\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xb9\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00P\\xba\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000042a" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000042e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb7\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xe0\\xb8\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb7\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xe0\\xb8\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a972ae1c", "parentcaller": "0x7ff9a9728039", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000042a" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728085", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xb7\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00*\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00 \\xb8\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000042a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000042a" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a972b02a", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x0000042e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a972b061", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000042e" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a972b0c5", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a970953c", "parentcaller": "0x7ff9a970806b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000042a" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a9708090", "parentcaller": "0x7ff9a96dace7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS" }, { "name": "DllBase", "value": "0x7ff9a1300000" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" }, { "name": "BaseAddress", "value": "0x7ff9a1300000" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a1300000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a1300000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a1307340" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a1300000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-28 21:56:24,503", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a1300000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a1307380" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000042a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000042e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a96de87e", "parentcaller": "0x7ff9a96de27f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9aaa26798", "parentcaller": "0x7ff9a84952e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9aaa267b9", "parentcaller": "0x7ff9a84952e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042c" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a9c32140", "parentcaller": "0x7ff9a9c31ddd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000042a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000432" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000432" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9a8498cfe", "parentcaller": "0x7ff9a9d476bf", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0004+\\xae\\x00\\x00\\x00<\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5360" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "5360", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.UI.AppDefaults" }, { "name": "DllBase", "value": "0x7ff9903b0000" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-28 21:56:24,519", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll" }, { "name": "BaseAddress", "value": "0x7ff9903b0000" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-28 21:56:24,535", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 1, "id": 622 }, { "timestamp": "2026-06-28 21:56:24,535", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-28 21:56:24,550", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 6, "id": 624 }, { "timestamp": "2026-06-28 21:56:24,613", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\iertutil" }, { "name": "DllBase", "value": "0x7ff99f680000" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-28 21:56:24,613", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\srvcli" }, { "name": "DllBase", "value": "0x7ff99f650000" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-28 21:56:24,613", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\netutils" }, { "name": "DllBase", "value": "0x7ff9a75f0000" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-28 21:56:24,613", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\urlmon" }, { "name": "DllBase", "value": "0x7ff99f930000" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-28 21:56:24,613", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 5, "id": 629 }, { "timestamp": "2026-06-28 21:56:24,628", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-28 21:56:24,628", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-28 21:56:24,628", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-28 21:56:24,628", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" }, { "name": "BaseAddress", "value": "0x7ff99f930000" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-28 21:56:24,628", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "79EAC9EE-BAF9-11CE-8C82-00AA004BA90B" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-28 21:56:24,644", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "API-MS-WIN-CORE-URL-L1-1-0.DLL" }, { "name": "BaseAddress", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-28 21:56:24,644", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 636 }, { "timestamp": "2026-06-28 21:56:24,644", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CDC82860-468D-4D4E-B7E7-C298FF23AB2C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "5632B1A4-E38A-400A-928A-D4CD63230295" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-28 21:56:24,644", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 638 }, { "timestamp": "2026-06-28 21:56:24,660", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wintypes" }, { "name": "DllBase", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-28 21:56:24,660", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "BaseAddress", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-28 21:56:24,660", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F1C46D71-B791-4110-8D5C-7108F22C1010" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8A43ED9F-F4E6-4421-ACF9-1DAB2986820C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-28 21:56:24,660", "thread_id": "4448", "caller": "0x7ff79a457989", "parentcaller": "0x7ff79a4566e5", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "BaseAddress", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-28 21:56:24,675", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Bcp47Langs" }, { "name": "DllBase", "value": "0x7ff99e080000" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-28 21:56:24,675", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\sppc" }, { "name": "DllBase", "value": "0x7ff9a6c60000" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-28 21:56:24,675", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SLC" }, { "name": "DllBase", "value": "0x7ff9a6c90000" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\USERENV" }, { "name": "DllBase", "value": "0x7ff9a7f80000" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\appresolver" }, { "name": "DllBase", "value": "0x7ff9971f0000" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\appresolver.dll" }, { "name": "BaseAddress", "value": "0x7ff9971f0000" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "21CBC515-2DDE-4D66-8292-BA34BD25094A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9a8498cfe", "parentcaller": "0x7ff9a9d79042", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0004+\\xae\\x00\\x00\\x00<\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5360" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub" }, { "name": "DllBase", "value": "0x7ff99d480000" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" }, { "name": "BaseAddress", "value": "0x7ff99d480000" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9a6408272", "parentcaller": "0x7ff9a6408b42", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9a9c32140", "parentcaller": "0x7ff9a9c31ddd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9a9bf56f3", "parentcaller": "0x7ff9a9c320bb", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-28 21:56:24,691", "thread_id": "5360", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}" }, { "name": "Handle", "value": "0x000004fa" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004fa" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004fe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x000004fa" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc5\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb0\\xc6\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004fa" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fa" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004fa" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000004fe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xc4\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00@\\xc5\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004fa" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xc4\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00@\\xc5\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004fa" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 699 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x000004fa" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xc2\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00p\\xc3\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004fa" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fa" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004fa" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000004fe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xc1\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x00\\xc2\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004fa" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xc1\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x00\\xc2\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004fa" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a972ae1c", "parentcaller": "0x7ff9a9728039", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004fa" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728085", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fa" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xc0\\xef+\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xfa\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00@\\xc1\\xef+\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fa" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004fa" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a972b02a", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x000004fe" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a972b061", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004fe" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a972b0c5", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fe" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x000004fa" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a970953c", "parentcaller": "0x7ff9a970806b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004fa" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a9708090", "parentcaller": "0x7ff9a96dace7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fa" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 745 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-06-28 21:56:24,707", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub" }, { "name": "DllBase", "value": "0x7ff99eea0000" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-06-28 21:56:24,722", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "BaseAddress", "value": "0x7ff99eea0000" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-06-28 21:56:24,722", "thread_id": "5360", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff99eea0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-06-28 21:56:24,722", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ff99eea0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99eeb5da0" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-06-28 21:56:24,722", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ff99eea0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-06-28 21:56:24,722", "thread_id": "5360", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ff99eea0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99eeb5e50" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-06-28 21:56:24,738", "thread_id": "5360", "caller": "0x7ff9a97708cd", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000408" }, { "name": "ObjectAttributesName", "value": "Windows.Storage.Streams.DataWriter" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-06-28 21:56:24,738", "thread_id": "5360", "caller": "0x7ff9a9770927", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004fc" }, { "name": "KeyInformation", "value": "?\t(\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00D\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00S\\x00t\\x00r\\x00e\\x00a\\x00m\\x00s\\x00.\\x00D\\x00a\\x00t\\x00a\\x00W\\x00r\\x00i\\x00t\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x1f)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xffb8\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x1f\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\xffab\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x0cB)D\\x02\\x00\\x00\\xffc9\\xffe7\\xffef+\\xffae\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc7\\xffb3\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00\\xffa0\\x14\\x1f)D\\x02\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f)D\\x02\\x00\\x00\\xffc4\\x02\\x1f)D\\x02\\x00\\x00\\x00\\x00\\x1f)D\\x02\\x00\\x00XU\\xff9b\\xffa9\\xfff9\\x7f\\x00\\x008mE)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffe8\\xffef+\\xffae\\x00\\x00\\x00\\xff98kp\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00p\\x07F)D\\x02\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x10mE)D\\x02\\x00\\x00p\\x07F)D\\x02\\x00\\x00 \\x0fG)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xffae\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\x00\\x00\\xfff0\\x00E)\\x02\\x00\\x00\\x00\\xffa6Ap\\xffa9\\xfff9\\x7f\\x00\\x00\\xff903G)D\\x02\\x00\\x00 \\x0fG)D\\x02\\x00\\x000\\x10F)D\\x02\\x00\\x000\\x10F)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x07F)D\\x02\\x00\\x000\\x10F)D\\x02\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00\\x10\\xffebF)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffef+\\xffae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffebF)D\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xffae\\x00\\x00\\x00\\xff90\\xffe9\\xffef+\\xffae\\x00\\x00\\x00\\xffa1Ep\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a97356ac", "parentcaller": "0x7ff9a979b1b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004fc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\CustomAttributes" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a976ab76", "parentcaller": "0x7ff9a976f113", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a4de1f18", "parentcaller": "0x7ff9a4de2681", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a96de87e", "parentcaller": "0x7ff9a970ced5", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 5, "id": 769 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "5360", "caller": "0x7ff9a8498cfe", "parentcaller": "0x7ff9a9d476bf", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0004+\\xae\\x00\\x00\\x00<\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5360" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004f8" }, { "name": "ThreadHandle", "value": "0x000004fc" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\NOTEPAD.EXE" }, { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "5432" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-06-28 21:56:24,753", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 772 }, { "timestamp": "2026-06-28 21:56:24,800", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\NOTEPAD.EXE" }, { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "CreationFlags", "value": "0x04080414", "pretty_value": "CREATE_SUSPENDED|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT|CREATE_DEFAULT_ERROR_MODE" }, { "name": "ProcessId", "value": "5432" }, { "name": "ThreadId", "value": "5436" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x000004f8" }, { "name": "ThreadHandle", "value": "0x000004fc" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-06-28 21:56:24,800", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\MPR" }, { "name": "DllBase", "value": "0x7ff998030000" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-06-28 21:56:24,800", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 775 }, { "timestamp": "2026-06-28 21:56:24,800", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\pcacli" }, { "name": "DllBase", "value": "0x7ff9a31d0000" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 778 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "ShellExecuteExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "FilePath", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Parameters", "value": "" }, { "name": "Show", "value": "1", "pretty_value": "SW_SHOWNORMAL" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a456713", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000344" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a456713", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a456147", "parentcaller": "0x7ff79a45c862", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a45618e", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c68b000" }, { "name": "RegionSize", "value": "0x0000f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a45618e", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c67d000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4561a2", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c67d000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4561ca", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c671000" }, { "name": "RegionSize", "value": "0x00017000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a456204", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c671000" }, { "name": "RegionSize", "value": "0x00017000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a456204", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c661000" }, { "name": "RegionSize", "value": "0x00027000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a456204", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acd7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a46857e", "parentcaller": "0x7ff79a45c87c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c661000" }, { "name": "RegionSize", "value": "0x00027000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a46857e", "parentcaller": "0x7ff79a45c87c", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00037000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4605a5", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x8f?\\x00\\x00p\\xedO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00x\\xedO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4605cc", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00\\x90\\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x003\\xac\\x00\\x00\\x98\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4606a0", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xedO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00x\\xedO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 794 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a46060c", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00\\x90\\xecO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x003\\xac\\x00\\x00\\x98\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a46064e", "parentcaller": "0x7ff79a45d003", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xedO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00x\\xedO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a45d00a", "parentcaller": "0x7ff79a459826", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xecO+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xecO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a45d02f", "parentcaller": "0x7ff79a459826", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeaO+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x08\\xeaO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a45d04b", "parentcaller": "0x7ff79a459826", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c651000" }, { "name": "RegionSize", "value": "0x00037000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a45d04b", "parentcaller": "0x7ff79a459826", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c641000" }, { "name": "RegionSize", "value": "0x00047000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a462784", "parentcaller": "0x7ff79a4604ae", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a4604da", "parentcaller": "0x7ff79a45ce8d", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "3\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 802 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a460099", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtReadFile", "status": false, "return": "0xffffffffc0000011", "pretty_return": "END_OF_FILE", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "Buffer", "value": "" }, { "name": "Length", "value": "0" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-06-28 21:56:24,816", "thread_id": "4448", "caller": "0x7ff79a45fb34", "parentcaller": "0x7ff79a45f438", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "8\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45fb34", "parentcaller": "0x7ff79a45f438", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "3\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45fc59", "parentcaller": "0x7ff79a45fb52", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442947c000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a46004c", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "3\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 807 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a460099", "parentcaller": "0x7ff79a45f9b7", "category": "filesystem", "api": "NtReadFile", "status": false, "return": "0xffffffffc0000011", "pretty_return": "END_OF_FILE", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "Buffer", "value": "" }, { "name": "Length", "value": "0" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45fb34", "parentcaller": "0x7ff79a45f52a", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "8\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45fb34", "parentcaller": "0x7ff79a45f52a", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000514" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "3\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 810 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45cec6", "parentcaller": "0x7ff79a459826", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a459887", "parentcaller": "0x7ff79a465bf0", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c621000" }, { "name": "RegionSize", "value": "0x0000e000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a46857e", "parentcaller": "0x7ff79a45c9c9", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c621000" }, { "name": "RegionSize", "value": "0x0000e000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a4605a5", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x8f?\\x00\\x00@\\xfaO+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00H\\xfaO+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a4605cc", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00`\\xf9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x003\\xac\\x00\\x00h\\xf9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a46060c", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00`\\xf9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x003\\xac\\x00\\x00h\\xf9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 816 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a463992", "parentcaller": "0x7ff79a468ecd", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf9O+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x98\\xf9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a4639b3", "parentcaller": "0x7ff79a468ecd", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xf6O+\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xd8\\xf6O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a460243", "parentcaller": "0x7ff79a46eb6d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00`\\xf9O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x003\\xac\\x00\\x00h\\xf9O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 819 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a46890e", "parentcaller": "0x7ff79a468737", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000514" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a468a27", "parentcaller": "0x7ff79a468930", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a4689bd", "parentcaller": "0x7ff79a468953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a468973", "parentcaller": "0x7ff79a468737", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45dfd3", "parentcaller": "0x7ff79a46eba6", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244293f6000" }, { "name": "RegionSize", "value": "0x0000f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45dfd3", "parentcaller": "0x7ff79a46eba6", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442947c000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a45dfd3", "parentcaller": "0x7ff79a46eba6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244293f6000" }, { "name": "RegionSize", "value": "0x0000f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xf4O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb8\\xf4O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 827 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a463491", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "\r\n" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a4635f4", "parentcaller": "0x7ff79a4634c9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xf4O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xe8\\xf4O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a463548", "parentcaller": "0x7ff79a47c6ce", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000060" }, { "name": "Buffer", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp>" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a460243", "parentcaller": "0x7ff79a46d266", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00 \\xf8O+\\xae\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00(\\xf8O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 831 }, { "timestamp": "2026-06-28 21:56:24,832", "thread_id": "4448", "caller": "0x7ff79a477fa5", "parentcaller": "0x7ff79a46d31b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00D\\x02\\x00\\x00\\x80\\xf7O+\\xae\\x00\\x00\\x00\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf7O+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 832 }, { "timestamp": "2026-06-28 21:56:29,878", "thread_id": "5884", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xef\\xff+\\xae\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xef\\xff+\\xae\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-06-28 21:56:29,878", "thread_id": "5884", "caller": "0x7ff9aa9fed8a", "parentcaller": "0x7ff9aaa1db07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acd7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 834 }, { "timestamp": "2026-06-28 21:56:29,878", "thread_id": "5884", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 835 }, { "timestamp": "2026-06-28 21:56:29,878", "thread_id": "5884", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a84bb970" }, { "name": "Parameter", "value": "0x00000002" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-06-28 21:56:29,878", "thread_id": "5884", "caller": "0x7ff9aaa4d9d4", "parentcaller": "0x7ff9a84bba90", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0xc000013a" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aa9f9b1a", "parentcaller": "0x7ff9aaa1095c", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c611000" }, { "name": "RegionSize", "value": "0x0001e000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 838 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aa9f9b1a", "parentcaller": "0x7ff9aaa1095c", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acd7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a31d31b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a31d31b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000050c" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a31d3226", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 842 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aa9f9b1a", "parentcaller": "0x7ff9aaa1095c", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442947b000" }, { "name": "RegionSize", "value": "0x00036000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aa9f9b1a", "parentcaller": "0x7ff9aaa1095c", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244293f0000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aa9fed8a", "parentcaller": "0x7ff9aaa164ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c68b000" }, { "name": "RegionSize", "value": "0x0000f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9971f2a64", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9971f2a64", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" } ], "repeated": 0, "id": 847 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9971f3905", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff997200edb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 849 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a7f8450f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004cc" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a7f84312", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a7f842ca", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a6c9181d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c8" } ], "repeated": 0, "id": 853 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a6c6cf47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a6c6cf47", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c0" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a6c749fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a6c63a64", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff99e094832", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99e0947fb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a4dd7573", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a4" } ], "repeated": 0, "id": 860 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a4decac7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" } ], "repeated": 0, "id": 861 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a4dd6632", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 862 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a4dd65ea", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a35eb435", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 864 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a35e9cff", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a35e9b62", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 866 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a35e9b1a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aa9fed8a", "parentcaller": "0x7ff9aaa16068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c641000" }, { "name": "RegionSize", "value": "0x00047000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 868 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff99f9b36dc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff99f9a2b2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff99f992009", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 871 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff99f992009", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8498ca3", "parentcaller": "0x7ff99f99a798", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442cb10000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 873 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff99f99a7ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a0" } ], "repeated": 0, "id": 874 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff99f99cbd2", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 875 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99f99cb8a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6b466e", "parentcaller": "0x7ff99f6b448d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045c" } ], "repeated": 0, "id": 877 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6b466e", "parentcaller": "0x7ff99f6b448d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000488" } ], "repeated": 0, "id": 878 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6b466e", "parentcaller": "0x7ff99f6b448d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 879 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6b466e", "parentcaller": "0x7ff99f6b448d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 880 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6b466e", "parentcaller": "0x7ff99f6b448d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 881 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff99f6b461f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 882 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff99f6b44ad", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000444" } ], "repeated": 0, "id": 883 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff99f6a1f32", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 884 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99f6a1efb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 885 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 886 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000450" } ], "repeated": 0, "id": 887 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 889 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000434" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 891 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6884f5", "parentcaller": "0x7ff99f688484", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 893 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff99f6b543f", "parentcaller": "0x7ff99f6b702f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000480" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9903b4e5e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 895 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9903b4e7b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8114d90", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 897 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8498ca3", "parentcaller": "0x7ff9a961bbab", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442ace0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 899 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a961bbcb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a274f90b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 901 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a274f606", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c4" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a274f648", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 903 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a27575ae", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 904 }, { "timestamp": "2026-06-28 21:56:29,972", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a2758c7e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtUpdateWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa90710" } ], "repeated": 0, "id": 905 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa7269d", "parentcaller": "0x7ff9aaa035db", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442acc0000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 906 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9940e4bfb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 907 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9940e3102", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 908 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9940e30ba", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 909 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a5b7298f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 910 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a5b710de", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 911 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a5b54dd8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a5b54d9b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 913 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8718ebe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8718f39", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 915 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 916 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9d6550f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 917 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9d6985e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8498ca3", "parentcaller": "0x7ff9a9d62cde", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442ac90000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 919 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9d62cf6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8498ca3", "parentcaller": "0x7ff9a9d62d20", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442ad80000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 921 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9d6b6bf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9d5e25f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 923 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa7269d", "parentcaller": "0x7ff9aaa035db", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442caf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 924 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa72759", "parentcaller": "0x7ff9aaa726a6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043c" } ], "repeated": 0, "id": 925 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 926 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 927 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 928 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 929 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 930 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 931 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a638b28c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a63611d3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 933 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a636119b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a63611d3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 935 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a63d3382", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8498ca3", "parentcaller": "0x7ff9a63d4ed3", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c2b0000" }, { "name": "RegionSize", "value": "0x00028000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 937 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a63d3382", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030c" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a7a93edf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" } ], "repeated": 0, "id": 939 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a7a92127", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a7a91fba", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 941 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a7a91fd7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aa9fed8a", "parentcaller": "0x7ff9aaa16068", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2442c611000" }, { "name": "RegionSize", "value": "0x0001e000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 943 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa00f47", "parentcaller": "0x7ff9a7fb8ecc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001dc" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa00f50", "parentcaller": "0x7ff9a7fb8ecc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001e0" } ], "repeated": 0, "id": 945 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a7fbe419", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a7a0226f", "parentcaller": "0x7ff9aaa09a1d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c8" } ], "repeated": 0, "id": 947 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a8" } ], "repeated": 0, "id": 948 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8162bf3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ac" } ], "repeated": 0, "id": 949 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa2e5a4b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a4" } ], "repeated": 0, "id": 950 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000018c" } ], "repeated": 0, "id": 951 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000190" } ], "repeated": 0, "id": 952 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000194" } ], "repeated": 0, "id": 953 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000198" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000019c" } ], "repeated": 0, "id": 955 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a0" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 957 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 958 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a92a7e34", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000184" } ], "repeated": 0, "id": 959 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a92a7e56", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000188" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000180" } ], "repeated": 0, "id": 961 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a92a8dbe", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 962 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a92a8ddb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 963 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9715510", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 964 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9789d00", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000160" } ], "repeated": 0, "id": 965 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a97a78a7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000168" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9789d00", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000016c" } ], "repeated": 0, "id": 967 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9789d00", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000170" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9789d00", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000174" } ], "repeated": 0, "id": 969 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9781c8e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000017c" } ], "repeated": 0, "id": 970 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9781cd0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000178" } ], "repeated": 0, "id": 971 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a977f918", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000140" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a977f93a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000144" } ], "repeated": 0, "id": 973 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000013c" } ], "repeated": 0, "id": 974 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9795b1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 975 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9795b1e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a978ca5b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000138" } ], "repeated": 0, "id": 977 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a973354e", "parentcaller": "0x7ff9a9732d26", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000130" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a973354e", "parentcaller": "0x7ff9a9732d2e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000134" } ], "repeated": 0, "id": 979 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a978ca5b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000012c" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a973354e", "parentcaller": "0x7ff9a9732d26", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000128" } ], "repeated": 0, "id": 981 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a973354e", "parentcaller": "0x7ff9a9732d2e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000124" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a9764771", "parentcaller": "0x7ff9a9764732", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" } ], "repeated": 0, "id": 983 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a9773d89", "parentcaller": "0x7ff9a83442d6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000410" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a9773d89", "parentcaller": "0x7ff9a83442d6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 985 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a9773d89", "parentcaller": "0x7ff9a83442d6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8ad2553", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000110" } ], "repeated": 0, "id": 987 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f8" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 989 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000100" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000104" } ], "repeated": 0, "id": 991 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000108" } ], "repeated": 0, "id": 992 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000010c" } ], "repeated": 0, "id": 993 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8ad26d5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000118" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8ad275f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 995 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8aea3ae", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c4" } ], "repeated": 0, "id": 996 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8aea3ae", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 997 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8ade715", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa00f47", "parentcaller": "0x7ff9a83442d6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000ec" } ], "repeated": 0, "id": 999 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa00f50", "parentcaller": "0x7ff9a83442d6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f0" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa525a4f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000dc" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa525a79", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000d8" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa778a75", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a8" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa778a95", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000ac" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa778ab5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000b0" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a81c2c8f", "parentcaller": "0x7ff9a81b163e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a81c2cdb", "parentcaller": "0x7ff9a81b163e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000b0" }, { "name": "ValueName", "value": "DisableMetaFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a81c2d0a", "parentcaller": "0x7ff9a81b163e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000b0" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a81c2d3a", "parentcaller": "0x7ff9a81b163e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000b0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a81c2d88", "parentcaller": "0x7ff9a81b163e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000b0" }, { "name": "ValueName", "value": "DisableUmpdBufferSizeCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a81c2dbb", "parentcaller": "0x7ff9a81b163e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000b0" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a81af382", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a81af33a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa284fc4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a4" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa284ff2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a0" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000009c" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a9c67f02", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9c668da", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9c4efb4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aaa40346", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9aa3e73c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000074" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a8440d32", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000068" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a84407a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000006c" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a84407cc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000070" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-06-28 21:56:29,988", "thread_id": "5884", "caller": "0x7ff9aaa4da38", "parentcaller": "0x7ff9a84bba90", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0xc000013a" } ], "repeated": 0, "id": 1025 } ], "threads": [ "4448", "2848", "3108", "4184", "3092", "5340", "5348", "5356", "5360", "5884" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff79a450000", "MainExeSize": "0x00067000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 4468, "process_name": "systeminfo.exe", "parent_id": 2108, "module_path": "C:\\Windows\\System32\\systeminfo.exe", "first_seen": "2026-06-28 21:56:15,025", "calls": [ { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9a0cc9191", "parentcaller": "0x7ff9a0cccd1e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9a0ccc853", "parentcaller": "0x7ff9a0cc9255", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\WBEM\\CIMOM" }, { "name": "Handle", "value": "0x00000228" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9a0ccc8f0", "parentcaller": "0x7ff9a0cc9255", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "2" }, { "name": "MaxSubKeyLength", "value": "23" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "55" }, { "name": "MaxValueNameLength", "value": "31" }, { "name": "MaxValueLength", "value": "29218" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9a0ccc535", "parentcaller": "0x7ff9a0ccc468", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" }, { "name": "ValueName", "value": "Logging" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\Logging" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9a0ccc73c", "parentcaller": "0x7ff9a0cc9298", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9a0cc9191", "parentcaller": "0x7ff9a0cc9105", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9a849294b", "parentcaller": "0x7ff9a0cc3e3a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\framedynos" }, { "name": "BaseAddress", "value": "0x7ff9a0cc0000" }, { "name": "InitRoutine", "value": "0x7ff9a0cd3510" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "1140", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6573e1b00" }, { "name": "Parameter", "value": "0x33820ad000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "3860", "caller": "0x7ff9aaa4ea52", "parentcaller": "0x7ff9aaa077c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000003c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 3, "id": 9 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "3152", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xa0\\xef?\\x823\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xef?\\x823\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "3860", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xef7\\x823\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xef7\\x823\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "3860", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-28 21:56:15,166", "thread_id": "3860", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a63070" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "2016", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xeb/\\x823\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xeb/\\x823\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "2016", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "2016", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62e50" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1996", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xf1'\\x823\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xf1'\\x823\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1996", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae605b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1996", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1996", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62a40" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573e1ea1", "parentcaller": "0x7ff6573e19d9", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff6573e1e50" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573e191e", "parentcaller": "0x7ff6573e1a19", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae79e7000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573db31f", "parentcaller": "0x7ff6573dbd06", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf4\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00h\\xf4\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573dd94f", "parentcaller": "0x7ff6573d6c7f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae605c000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573dc8db", "parentcaller": "0x7ff6573dc9d1", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xf7\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xf7\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d6c18", "parentcaller": "0x7ff6573d10b1", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x003\\x00\\x00\\x00\\xb0\\xf7\\xed\\x813\\x00\\x00\\x00\\\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xb8\\xf7\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x3381edf630" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6062000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1140" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000021c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000021c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000214" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a603f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "InitRoutine", "value": "0x7ff9a6033f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000214" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-28 21:56:15,181", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000254" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\xfa@4I\\xb9\\x02\\xc7\\xd8\\xc9\\xb1\\xbb\\xec\n\\x9dzD\\xe2\\x9b\\x956\\xf9\\x9a\\x84\\x82\\xd4fB\\x86H\\xca\\xdb\\xa8-\\x8e\\x89\\x1aq>9?\\xd4\\xe2NG`J\\xb5\\x86" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ad", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6063000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6069000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae606b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae606d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000260" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000260" }, { "name": "ValueName", "value": "RaiseActivationAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000260" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xee\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff@\\xef\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000266" }, { "name": "SubKey", "value": "AppID\\systeminfo.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\systeminfo.exe" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlWow64GetCurrentMachine" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa40d80" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlWow64IsWowGuestMachineSupported" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6c590" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000266" }, { "name": "SubKey", "value": "AppID\\systeminfo.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\systeminfo.exe" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf3\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x01F\\xa8\\xf9\\x7f\\x00\\x00be\\xea\\xeb;%\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-28 21:56:15,197", "thread_id": "1140", "caller": "0x7ff6573d78ee", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-28 21:56:19,416", "thread_id": "1140", "caller": "0x7ff6573d7916", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-28 21:56:19,416", "thread_id": "1140", "caller": "0x7ff6573d7916", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wbemcomn" }, { "name": "DllBase", "value": "0x7ff9a0f30000" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-28 21:56:19,416", "thread_id": "1140", "caller": "0x7ff6573d7916", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ff97fc40000" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-28 21:56:19,416", "thread_id": "1140", "caller": "0x7ff6573d7916", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "API-MS-Win-Core-LocalRegistry-L1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-28 21:56:19,416", "thread_id": "1140", "caller": "0x7ff6573d7916", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemprox.dll" }, { "name": "BaseAddress", "value": "0x7ff97fc40000" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-28 21:56:19,416", "thread_id": "1140", "caller": "0x7ff6573d7916", "parentcaller": "0x7ff6573d6c26", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573d7916", "parentcaller": "0x7ff6573d6c26", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F811-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "DC12A687-737F-11CF-884D-00AA004B2E24" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573def98", "parentcaller": "0x7ff6573e0122", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff6573d0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\systeminfo.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 1, "id": 117 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000b0" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa3d0000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3da190" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3efe60" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002bc" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae9290000" }, { "name": "SectionOffset", "value": "0x3381edee40" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573df031", "parentcaller": "0x7ff6573e0122", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\x1dx\\x18\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dc3da", "parentcaller": "0x7ff6573df11b", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "ValueName", "value": "en" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dab70", "parentcaller": "0x7ff6573d7a4f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a95f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573dab70", "parentcaller": "0x7ff6573d7a4f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a95f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1eae6061780" }, { "name": "CreateFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2796" }, { "name": "ProcessId", "value": "4468" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "2796", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "2796", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1eae6061780" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "3796", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe0\\xecO\\x823\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xecO\\x823\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "3796", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6079000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "3796", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "3796", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x1eae6030b50" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "3796", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002ec" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "3796", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae607a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "4356", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xefW\\x823\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xefW\\x823\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "4356", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-28 21:56:19,431", "thread_id": "4356", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x1eae6030b50" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-28 21:56:19,447", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-28 21:56:19,447", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-28 21:56:19,447", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ff97fc20000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-28 21:56:19,447", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemsvc.dll" }, { "name": "BaseAddress", "value": "0x7ff97fc20000" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-28 21:56:19,447", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-28 21:56:19,463", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-l1-2-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-28 21:56:19,463", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-obsolete-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-28 21:56:19,463", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\fastprox" }, { "name": "DllBase", "value": "0x7ff99dc10000" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-28 21:56:19,463", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 160 }, { "timestamp": "2026-06-28 21:56:19,463", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\fastprox.dll" }, { "name": "BaseAddress", "value": "0x7ff99dc10000" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-28 21:56:19,478", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\amsi" }, { "name": "DllBase", "value": "0x7ff99e360000" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-28 21:56:19,478", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "amsi.dll" }, { "name": "BaseAddress", "value": "0x7ff99e360000" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-28 21:56:19,478", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-28 21:56:19,478", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 7, "id": 165 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d81ea", "category": "com", "api": "WbemLocator_ConnectServer", "status": true, "return": "0x00000000", "arguments": [ { "name": "NetworkResource", "value": "root\\cimv2" }, { "name": "User", "value": "" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d175c", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf5\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xa8\\xf5\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d175c", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d175c", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf5\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xa8\\xf5\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d175c", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Operating System Information ..." } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99dd18000" }, { "name": "ModuleName", "value": "fastprox.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99dd18000" }, { "name": "ModuleName", "value": "fastprox.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff97fc31000" }, { "name": "ModuleName", "value": "wbemsvc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff97fc31000" }, { "name": "ModuleName", "value": "wbemsvc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000266" }, { "name": "SubKey", "value": "Interface\\{027947E1-D731-11CE-A357-000000000001}" }, { "name": "Handle", "value": "0x00000316" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000316" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000031a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031a" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000026e" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000316" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xc1\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00\\xd0\\xc2\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000316" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000316" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000316" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000031a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000031a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\wbem\\fastprox.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 195 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-28 21:56:19,494", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031a" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xc0\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00`\\xc1\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000316" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xc0\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00`\\xc1\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000316" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000026e" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000316" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xbe\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00\\x90\\xbf\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000316" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000316" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000316" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000030a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000030a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\wbem\\fastprox.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 227 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xbd\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00 \\xbe\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000316" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xbd\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00 \\xbe\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000316" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000316" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer32" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000316" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xbc\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x16\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00`\\xbd\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000316" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000316" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000026e" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x0000030a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000030a" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Elevation" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000266" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x00000316" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000316" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d17a9", "parentcaller": "0x7ff6573d1137", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000266" }, { "name": "SubKey", "value": "Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}" }, { "name": "Handle", "value": "0x00000316" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000316" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000030a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{7C857801-7381-11CF-884D-00AA004B2E24}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6085000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000266" }, { "name": "SubKey", "value": "Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x0000031a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000031a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000031e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{7C857801-7381-11CF-884D-00AA004B2E24}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031e" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031a" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-28 21:56:19,509", "thread_id": "1140", "caller": "0x7ff6573d894a", "parentcaller": "0x7ff6573d886a", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-28 21:56:19,556", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6086000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 279 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6089000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae608c000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 291 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d199f", "parentcaller": "0x7ff6573d1137", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Caption" }, { "name": "Value", "value": "Microsoft Windows 10 Enterprise LTSC" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "CSName" }, { "name": "Value", "value": "DESKTOP-P54VDBR" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Version" }, { "name": "Value", "value": "10.0.19044" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "CSDVersion" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "BuildNumber" }, { "name": "Value", "value": "19044" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Manufacturer" }, { "name": "Value", "value": "Microsoft Corporation" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "BuildType" }, { "name": "Value", "value": "Multiprocessor Free" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "RegisteredUser" }, { "name": "Value", "value": "Rajesh" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Organization" }, { "name": "Value", "value": "ReviOS 10 26.04" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SerialNumber" }, { "name": "Value", "value": "57152-371-9180832-35839" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "WindowsDirectory" }, { "name": "Value", "value": "C:\\Windows" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SystemDirectory" }, { "name": "Value", "value": "C:\\Windows\\system32" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "BootDevice" }, { "name": "Value", "value": "\\Device\\HarddiskVolume1" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Locale" }, { "name": "Value", "value": "0409" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "FreePhysicalMemory" }, { "name": "Value", "value": "1598656" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TotalVirtualMemorySize" }, { "name": "Value", "value": "4455916" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "FreeVirtualMemory" }, { "name": "Value", "value": "2886404" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "InstallDate" }, { "name": "Value", "value": "20260628202438.000000-420" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "LastBootUpTime" }, { "name": "Value", "value": "20260628144559.441926-420" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d944e", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "DataExecutionPrevention_Available" }, { "name": "Value", "value": "TRUE" }, { "name": "Class", "value": "Win32_OperatingSystem" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d61a0", "parentcaller": "0x7ff6573d1ca7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xf4\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe0\\xa2\\x06\\xe6\\xea\\x01\\x00\\x008\\xf6\\xed\\x813\\x00\\x00\\x00\\xe0\\xa2\\x06\\xe6\\xea\\x01\\x00\\x00\\x00\\xf6\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d61a0", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000314" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d622e", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000316" }, { "name": "SubKey", "value": "MIME\\Database\\Rfc1766" }, { "name": "Handle", "value": "0x0000030a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\MIME\\Database\\Rfc1766" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6358", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" }, { "name": "ValueName", "value": "0409" }, { "name": "Data", "value": "en-us;@%SystemRoot%\\system32\\mlang.dll,-4386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d63d6", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030a" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d63f4", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000316" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000314" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000314" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "34" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xe8\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb7\\xe7\\xea\\x01\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000314" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000314" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\mlang.dll,-4386" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x1eae78f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\mlang.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000314" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\mlang.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000030c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000314" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\mlang.dll.mui" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000030c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae7950000" }, { "name": "SectionOffset", "value": "0x3381ede2a0" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030c" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "registry", "api": "NtSetValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\mlang.dll,-4386" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Buffer", "value": "English (United States)" }, { "name": "BufferLength", "value": "48" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae7950000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae78f0000" }, { "name": "RegionSize", "value": "0x00042000" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d1ca7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d1438", "parentcaller": "0x7ff6573d1d9f", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 343 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d34b2", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00(\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d34b2", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d34b2", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00(\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d34b2", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Computer Information ..." } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000026e" }, { "name": "SubKey", "value": "CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "Handle", "value": "0x0000031e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xc2\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x1e\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00P\\xc3\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000031e" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-28 21:56:19,572", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000031e" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000031e" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000322" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000322" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000322" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000322" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\wbem\\fastprox.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 366 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000322" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000322" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc0\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x1e\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00\\xe0\\xc1\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000031e" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc0\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x1e\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x003\\x00\\x00\\x00\\xe0\\xc1\\xed\\x813\\x00\\x00\\x00" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000031e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000031e" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031e" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-28 21:56:19,588", "thread_id": "1140", "caller": "0x7ff6573d34f9", "parentcaller": "0x7ff6573d136e", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 386 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae608f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 397 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d35c2", "parentcaller": "0x7ff6573d136e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Model" }, { "name": "Value", "value": "Standard PC (Q35 + ICH9, 2009)" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Domain" }, { "name": "Value", "value": "WORKGROUP" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "UserName" }, { "name": "Value", "value": "DESKTOP-P54VDBR\\Rajesh" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "DomainRole" }, { "name": "Value", "value": "0" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SystemType" }, { "name": "Value", "value": "x64-based PC" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Manufacturer" }, { "name": "Value", "value": "QEMU" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TotalPhysicalMemory" }, { "name": "Value", "value": "4294967296" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d4484", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x98\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d4484", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d4484", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x98\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d4484", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Processor Information ..." } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d44d1", "parentcaller": "0x7ff6573d137e", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_Processor" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d44d1", "parentcaller": "0x7ff6573d137e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d44d1", "parentcaller": "0x7ff6573d137e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-28 21:56:19,603", "thread_id": "1140", "caller": "0x7ff6573d44d1", "parentcaller": "0x7ff6573d137e", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000328" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000328" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 422 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000328" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000328" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 432 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d45a3", "parentcaller": "0x7ff6573d137e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Caption" }, { "name": "Value", "value": "Intel64 Family 6 Model 60 Stepping 1" }, { "name": "Class", "value": "Win32_Processor" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Manufacturer" }, { "name": "Value", "value": "GenuineIntel" }, { "name": "Class", "value": "Win32_Processor" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "CurrentClockSpeed" }, { "name": "Value", "value": "3100" }, { "name": "Class", "value": "Win32_Processor" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d3b9e", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x98\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d3b9e", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d3b9e", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x98\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d3b9e", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading BIOS Information ..." } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d3beb", "parentcaller": "0x7ff6573d138a", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_BIOS" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d3beb", "parentcaller": "0x7ff6573d138a", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d3beb", "parentcaller": "0x7ff6573d138a", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-28 21:56:20,884", "thread_id": "1140", "caller": "0x7ff6573d3beb", "parentcaller": "0x7ff6573d138a", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 453 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 463 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d3cc0", "parentcaller": "0x7ff6573d138a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SMBIOSPresent" }, { "name": "Value", "value": "TRUE" }, { "name": "Class", "value": "Win32_BIOS" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d937d", "parentcaller": "0x7ff6573d3d13", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "SMBIOSBIOSVersion" }, { "name": "Value", "value": "?-20260628_190944-vps-4e2c0a77-vps-ovh-net" }, { "name": "Class", "value": "Win32_BIOS" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Manufacturer" }, { "name": "Value", "value": "AMIBios" }, { "name": "Class", "value": "Win32_BIOS" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "ReleaseDate" }, { "name": "Value", "value": "20181103000000.000000+000" }, { "name": "Class", "value": "Win32_BIOS" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d1438", "parentcaller": "0x7ff6573d3dac", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d48ed", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d48ed", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d48ed", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d48ed", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Input Locale Information ..." } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d4934", "parentcaller": "0x7ff6573d1396", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_Keyboard" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d4934", "parentcaller": "0x7ff6573d1396", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d4934", "parentcaller": "0x7ff6573d1396", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-28 21:56:20,900", "thread_id": "1140", "caller": "0x7ff6573d4934", "parentcaller": "0x7ff6573d1396", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000328" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000328" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 487 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000328" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000328" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 497 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d49a8", "parentcaller": "0x7ff6573d1396", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Layout" }, { "name": "Value", "value": "00000409" }, { "name": "Class", "value": "Win32_Keyboard" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d61a0", "parentcaller": "0x7ff6573d4a4f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xf5\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x80\\xa1\\x06\\xe6\\xea\\x01\\x00\\x00X\\xf7\\xed\\x813\\x00\\x00\\x00\\x80\\xa1\\x06\\xe6\\xea\\x01\\x00\\x00\\x00\\xf7\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d61a0", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d622e", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000326" }, { "name": "SubKey", "value": "MIME\\Database\\Rfc1766" }, { "name": "Handle", "value": "0x0000032a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\MIME\\Database\\Rfc1766" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6358", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "0409" }, { "name": "Data", "value": "en-us;@%SystemRoot%\\system32\\mlang.dll,-4386" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d63d6", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d63f4", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000326" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "ValueName", "value": "StringCacheGeneration" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "34" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xe9\\xed\\x813\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb7\\xe7\\xea\\x01\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000328" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000324" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000328" }, { "name": "ValueName", "value": "@%SystemRoot%\\system32\\mlang.dll,-4386" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "English (United States)" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6463", "parentcaller": "0x7ff6573d4a4f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d401d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d401d", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d401d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d401d", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading TimeZone Information ..." } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d4064", "parentcaller": "0x7ff6573d13a2", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_TimeZone" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d4064", "parentcaller": "0x7ff6573d13a2", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d4064", "parentcaller": "0x7ff6573d13a2", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-28 21:56:20,931", "thread_id": "1140", "caller": "0x7ff6573d4064", "parentcaller": "0x7ff6573d13a2", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 531 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-28 21:56:20,947", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-28 21:56:20,963", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 541 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d40d8", "parentcaller": "0x7ff6573d13a2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Caption" }, { "name": "Value", "value": "(UTC-08:00) Pacific Time (US & Canada)" }, { "name": "Class", "value": "Win32_TimeZone" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d5990", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xb8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d5990", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d5990", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xb8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d5990", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Profile Information ..." } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-28 21:56:20,978", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d59de", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-28 21:56:20,994", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d59de", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-28 21:56:20,994", "thread_id": "1140", "caller": "0x7ff6573d7dde", "parentcaller": "0x7ff6573d59de", "category": "com", "api": "WbemLocator_ConnectServer", "status": true, "return": "0x00000000", "arguments": [ { "name": "NetworkResource", "value": "root\\default" }, { "name": "User", "value": "" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-28 21:56:20,994", "thread_id": "1140", "caller": "0x7ff6573d9be2", "parentcaller": "0x7ff6573da079", "category": "system", "api": "WMI_GetObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "ObjectPath", "value": "StdRegProv" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9be2", "parentcaller": "0x7ff6573da079", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9be2", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\WBEM\\CIMOM" }, { "name": "Handle", "value": "0x00000328" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9be2", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000328" }, { "name": "ValueName", "value": "EnableObjectValidation" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\EnableObjectValidation" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9be2", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000324" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 564 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9c54", "parentcaller": "0x7ff6573da079", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-28 21:56:21,009", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "system", "api": "WMI_ExecMethod", "status": true, "return": "0x00000000", "arguments": [ { "name": "ObjectPath", "value": "StdRegProv" }, { "name": "MethodName", "value": "GetStringValue" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 576 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d9dc3", "parentcaller": "0x7ff6573da079", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "ReturnValue" }, { "name": "Value", "value": "0" }, { "name": "Class", "value": "__PARAMETERS" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d9eed", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "sValue" }, { "name": "Value", "value": "\\\\DESKTOP-P54VDBR" }, { "name": "Class", "value": "__PARAMETERS" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d4216", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d4216", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d4216", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d4216", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Pagefile Information ..." } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d425d", "parentcaller": "0x7ff6573d13ba", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_PageFileUsage" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d425d", "parentcaller": "0x7ff6573d13ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d425d", "parentcaller": "0x7ff6573d13ba", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-28 21:56:22,822", "thread_id": "1140", "caller": "0x7ff6573d425d", "parentcaller": "0x7ff6573d13ba", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 596 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 606 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d42d5", "parentcaller": "0x7ff6573d13ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Caption" }, { "name": "Value", "value": "C:\\pagefile.sys" }, { "name": "Class", "value": "Win32_PageFileUsage" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d4b27", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x98\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d4b27", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d4b27", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x98\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d4b27", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Hotfix Information ..." } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d4b71", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d4b71", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d4b71", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-28 21:56:23,056", "thread_id": "1140", "caller": "0x7ff6573d4b71", "parentcaller": "0x7ff6573d13c6", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000324" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 625 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000324" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 635 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "HotFixID" }, { "name": "Value", "value": "KB5004331" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "FixComments" }, { "name": "Value", "value": "" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000324" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 647 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-28 21:56:23,306", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "HotFixID" }, { "name": "Value", "value": "KB5003791" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "FixComments" }, { "name": "Value", "value": "" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000324" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 659 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [ { "name": "Status", "value": "Log limit reached" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "HotFixID" }, { "name": "Value", "value": "KB5006670" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "FixComments" }, { "name": "Value", "value": "" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000324" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000324" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 671 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d4c45", "parentcaller": "0x7ff6573d13c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "HotFixID" }, { "name": "Value", "value": "KB5005699" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "FixComments" }, { "name": "Value", "value": "" }, { "name": "Class", "value": "Win32_QuickFixEngineering" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d500c", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf5\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf5\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d500c", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d500c", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf5\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\xc8\\xf5\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d500c", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Network Card Information ..." } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d5057", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d5057", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d5057", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-28 21:56:23,322", "thread_id": "1140", "caller": "0x7ff6573d5057", "parentcaller": "0x7ff6573d13d2", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 690 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 699 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "0" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "Microsoft Kernel Debug Network Adapter" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 712 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "1" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "Intel(R) PRO/1000 MT Network Connection" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "Ethernet" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "2" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d5326", "parentcaller": "0x7ff6573d13d2", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae79e9000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-28 21:56:23,416", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "WMI_GetObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "ObjectPath", "value": "Win32_NetworkAdapterConfiguration.Index=1" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 728 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d564f", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8f9e", "parentcaller": "0x7ff6573d903e", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "IPAddress" }, { "name": "Value", "value": "Array" }, { "name": "Class", "value": "Win32_NetworkAdapterConfiguration" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "DHCPServer" }, { "name": "Value", "value": "192.168.122.1" }, { "name": "Class", "value": "Win32_NetworkAdapterConfiguration" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "DHCPEnabled" }, { "name": "Value", "value": "TRUE" }, { "name": "Class", "value": "Win32_NetworkAdapterConfiguration" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d937d", "parentcaller": "0x7ff6573d56ac", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 741 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "2" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (SSTP)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 754 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "3" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (IKEv2)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-06-28 21:56:23,447", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 767 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "4" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (L2TP)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 780 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "5" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (PPTP)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 793 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 794 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "6" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (PPPOE)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 806 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 810 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "7" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (IP)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 816 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 819 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "8" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (IPv6)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 827 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 831 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 832 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 834 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 835 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5119", "parentcaller": "0x7ff6573d13d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Index" }, { "name": "Value", "value": "9" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 838 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "Description" }, { "name": "Value", "value": "WAN Miniport (Network Monitor)" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d91fc", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionID" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d932f", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "NetConnectionStatus" }, { "name": "Value", "value": "NULL" }, { "name": "Class", "value": "Win32_NetworkAdapter" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d5ae5", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00x\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 842 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d5ae5", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d5ae5", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf6\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x00x\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d6116", "parentcaller": "0x7ff6573d5ae5", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": "Loading Hyper-V Information ..." } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5b30", "parentcaller": "0x7ff6573d13de", "category": "system", "api": "WMI_CreateInstanceEnum", "status": true, "return": "0x00000000", "arguments": [ { "name": "QueryClass", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5b30", "parentcaller": "0x7ff6573d13de", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 847 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5b30", "parentcaller": "0x7ff6573d13de", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5b30", "parentcaller": "0x7ff6573d13de", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 849 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 853 }, { "timestamp": "2026-06-28 21:56:23,463", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\AMSI\\Providers" }, { "name": "Handle", "value": "0x00000330" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "38" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 860 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{2781761E-28E0-4109-99FE-B9D127C57AFE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}" } ], "repeated": 0, "id": 861 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 862 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d8" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32" } ], "repeated": 0, "id": 864 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 866 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5bab", "parentcaller": "0x7ff6573d13de", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d8eab", "parentcaller": "0x7ff6573d944e", "category": "system", "api": "WMI_Get", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "HypervisorPresent" }, { "name": "Value", "value": "TRUE" }, { "name": "Class", "value": "Win32_ComputerSystem" } ], "repeated": 0, "id": 868 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d5c71", "parentcaller": "0x7ff6573d13de", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae79ea000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d6097", "parentcaller": "0x7ff6573d13f1", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xea\\x01\\x00\\x000\\xf7\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x008\\xf7\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d60d0", "parentcaller": "0x7ff6573d13f1", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x00000064" }, { "name": "Buffer", "value": " \\x00" } ], "repeated": 0, "id": 871 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573d60e3", "parentcaller": "0x7ff6573d13f1", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xea\\x01\\x00\\x000\\xf7\\xed\\x813\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xea\\x01\\x00\\x008\\xf7\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573db064", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xf9\\x7f\\x00\\x000\\xf7\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\x7f\\x00\\x008\\xf7\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 873 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573db064", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 874 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 875 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Host Name: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 877 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "DESKTOP-P54VDBR" }, { "name": "Length", "value": "15" } ], "repeated": 0, "id": 878 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 879 }, { "timestamp": "2026-06-28 21:56:23,478", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 880 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 881 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "OS Name: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 882 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 883 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Microsoft Windows 10 Enterprise LTSC" }, { "name": "Length", "value": "36" } ], "repeated": 0, "id": 884 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 885 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 886 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 887 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "OS Version: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 889 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "10.0.19044 N/A Build 19044" }, { "name": "Length", "value": "26" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 891 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 893 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "OS Manufacturer: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 895 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Microsoft Corporation" }, { "name": "Length", "value": "21" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 897 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 899 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "OS Configuration: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 901 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Standalone Workstation" }, { "name": "Length", "value": "22" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 903 }, { "timestamp": "2026-06-28 21:56:23,494", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 904 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 905 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "OS Build Type: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 906 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 907 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Multiprocessor Free" }, { "name": "Length", "value": "19" } ], "repeated": 0, "id": 908 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 909 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 910 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 911 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Registered Owner: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 913 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Rajesh" }, { "name": "Length", "value": "6" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 915 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 916 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 917 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Registered Organization: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 919 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "ReviOS 10 26.04" }, { "name": "Length", "value": "15" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 921 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 923 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Product ID: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 924 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 925 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "57152-371-9180832-35839" }, { "name": "Length", "value": "23" } ], "repeated": 0, "id": 926 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 927 }, { "timestamp": "2026-06-28 21:56:23,509", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 928 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 929 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Original Install Date: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 930 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 931 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "6/28/2026, 8:24:38 PM" }, { "name": "Length", "value": "21" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 933 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 935 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "System Boot Time: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 937 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "6/28/2026, 2:45:59 PM" }, { "name": "Length", "value": "21" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 939 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 941 }, { "timestamp": "2026-06-28 21:56:23,525", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "System Manufacturer: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-06-28 21:56:23,541", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 943 }, { "timestamp": "2026-06-28 21:56:23,541", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "QEMU" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 945 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 947 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "System Model: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 948 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 949 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Standard PC (Q35 + ICH9, 2009)" }, { "name": "Length", "value": "30" } ], "repeated": 0, "id": 950 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 951 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 952 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 953 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "System Type: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 955 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "x64-based PC" }, { "name": "Length", "value": "12" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 957 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 958 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 959 }, { "timestamp": "2026-06-28 21:56:23,556", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Processor(s): " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 961 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "1 Processor(s) Installed." }, { "name": "Length", "value": "25" } ], "repeated": 0, "id": 962 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 963 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 964 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 965 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 967 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "[01]: Intel64 Family 6 Model 60 Stepping 1 GenuineIntel ~3100 Mhz" }, { "name": "Length", "value": "65" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 969 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 970 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 971 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "BIOS Version: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 973 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "AMIBios ?-20260628_190944-vps-4e2c0a77-vps-ovh-net, 11/3/2018" }, { "name": "Length", "value": "61" } ], "repeated": 0, "id": 974 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 975 }, { "timestamp": "2026-06-28 21:56:23,572", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 977 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Windows Directory: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 979 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "C:\\Windows" }, { "name": "Length", "value": "10" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 981 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 983 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "System Directory: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 985 }, { "timestamp": "2026-06-28 21:56:23,588", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "C:\\Windows\\system32" }, { "name": "Length", "value": "19" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 987 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 989 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Boot Device: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 991 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\\Device\\HarddiskVolume1" }, { "name": "Length", "value": "23" } ], "repeated": 0, "id": 992 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 993 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 995 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "System Locale: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 996 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 997 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "en-us;English (United States)" }, { "name": "Length", "value": "29" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 999 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1001 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Input Locale: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1003 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "en-us;English (United States)" }, { "name": "Length", "value": "29" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1005 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1007 }, { "timestamp": "2026-06-28 21:56:23,603", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Time Zone: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1009 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "(UTC-08:00) Pacific Time (US & Canada)" }, { "name": "Length", "value": "38" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1011 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1013 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Total Physical Memory: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1015 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "4,096 MB" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1017 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1019 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Available Physical Memory: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1021 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "1,561 MB" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1023 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-06-28 21:56:23,619", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1025 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Virtual Memory: Max Size: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1027 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "4,351 MB" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1029 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1031 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Virtual Memory: Available: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1033 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "2,819 MB" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1035 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1037 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Virtual Memory: In Use: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1039 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "1,532 MB" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 1040 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1041 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1043 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Page File Location(s): " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2026-06-28 21:56:23,634", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1045 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "C:\\pagefile.sys" }, { "name": "Length", "value": "15" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1047 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1049 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Domain: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1051 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "WORKGROUP" }, { "name": "Length", "value": "9" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1053 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1055 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Logon Server: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1056 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1057 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\\\\DESKTOP-P54VDBR" }, { "name": "Length", "value": "17" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x003\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1059 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1061 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Hotfix(s): " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1063 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "4 Hotfix(s) Installed." }, { "name": "Length", "value": "22" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2026-06-28 21:56:23,650", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1065 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1067 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1068 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1069 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "[01]: KB5004331" }, { "name": "Length", "value": "15" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1071 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1073 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1075 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "[02]: KB5003791" }, { "name": "Length", "value": "15" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1077 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1079 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1081 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "[03]: KB5006670" }, { "name": "Length", "value": "15" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1083 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2026-06-28 21:56:23,666", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1085 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1087 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "[04]: KB5005699" }, { "name": "Length", "value": "15" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1089 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1091 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Network Card(s): " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1093 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "1 NIC(s) Installed." }, { "name": "Length", "value": "19" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1095 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1097 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1099 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "[01]: Intel(R) PRO/1000 MT Network Connection" }, { "name": "Length", "value": "45" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1101 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2026-06-28 21:56:23,681", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1103 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1104 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1105 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " Connection Name: Ethernet" }, { "name": "Length", "value": "31" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1107 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1109 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1111 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " DHCP Enabled: Yes" }, { "name": "Length", "value": "26" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1113 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1115 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1117 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " DHCP Server: 192.168.122.1" }, { "name": "Length", "value": "36" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1119 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1121 }, { "timestamp": "2026-06-28 21:56:23,697", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1123 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " IP address(es)" }, { "name": "Length", "value": "20" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1125 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1127 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1129 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " [01]: 192.168.122.139" }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1130 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1478", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1131 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1478", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1485", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf6\\x7f\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1133 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1485", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x003\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1135 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": " [02]: fe80::b437:c6c4:ee55:3525" }, { "name": "Length", "value": "37" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1137 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1138 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e13c3", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1139 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e13c3", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "Hyper-V Requirements: " }, { "name": "Length", "value": "27" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e141d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1141 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e141d", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "A hypervisor has been detected. Features required for Hyper-V will not be displayed." }, { "name": "Length", "value": "84" } ], "repeated": 0, "id": 1142 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dcf1a", "parentcaller": "0x7ff6573e1496", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000048" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf6\\xed\\x813\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xea\\x01\\x00\\x00\\x18\\xf6\\xed\\x813\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 1, "id": 1143 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd04c", "parentcaller": "0x7ff6573e1496", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000060" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "Buffer", "value": "\r\n" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd870", "parentcaller": "0x7ff6573d11ea", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6087000" }, { "name": "RegionSize", "value": "0x0000a000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573dd870", "parentcaller": "0x7ff6573d11ea", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae605c000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1146 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c4" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 1153 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6063000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6071000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1156 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6000000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026e" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6071000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ff97fc20000" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff97fc20000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 1163 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 1164 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ff97fc40000" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff97fc40000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "EtwUnregisterTraceGuids" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa40330" } ], "repeated": 0, "id": 1167 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 1168 }, { "timestamp": "2026-06-28 21:56:23,713", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlUnregisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6ede0" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlUnsubscribeWnfNotificationWaitForCompletion" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa52570" } ], "repeated": 0, "id": 1171 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1172 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\fastprox" }, { "name": "DllBase", "value": "0x7ff99dc10000" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "EtwUnregisterTraceGuids" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa40330" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000028c" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wbemcomn" }, { "name": "DllBase", "value": "0x7ff9a0f30000" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a0f30000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1182 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99dc10000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573d11f1", "parentcaller": "0x7ff6573e1a7d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1186 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "mscoree.dll" }, { "name": "ModuleHandle", "value": "0xfffffffe" } ], "repeated": 0, "id": 1187 }, { "timestamp": "2026-06-28 21:56:23,728", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" } ], "repeated": 0, "id": 1191 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6010000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1eae6063000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 1197 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1199 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\WBEM\\CIMOM" }, { "name": "Handle", "value": "0x00000228" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "2" }, { "name": "MaxSubKeyLength", "value": "23" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "55" }, { "name": "MaxValueNameLength", "value": "31" }, { "name": "MaxValueLength", "value": "29218" } ], "repeated": 0, "id": 1201 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" }, { "name": "ValueName", "value": "Logging" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\Logging" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 1203 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 1204 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001dc" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d4" } ], "repeated": 0, "id": 1206 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c8" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ac" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b0" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a8" } ], "repeated": 0, "id": 1210 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000190" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000194" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000198" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000019c" } ], "repeated": 0, "id": 1214 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a0" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a4" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000188" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000018c" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000184" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000164" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000016c" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000170" } ], "repeated": 0, "id": 1227 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000174" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000178" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000180" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000017c" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000144" } ], "repeated": 0, "id": 1232 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000148" } ], "repeated": 0, "id": 1233 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000140" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000013c" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000134" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000138" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000130" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000012c" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000128" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 1244 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000100" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000104" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000108" } ], "repeated": 0, "id": 1247 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000010c" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000110" } ], "repeated": 0, "id": 1249 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000011c" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000118" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f8" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f0" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000dc" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e0" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a0" } ], "repeated": 0, "id": 1257 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a4" } ], "repeated": 0, "id": 1258 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a8" } ], "repeated": 0, "id": 1259 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000a8" }, { "name": "ValueName", "value": "DisableMetaFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a8" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000a8" }, { "name": "ValueName", "value": "DisableUmpdBufferSizeCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a8" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1267 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000b8" } ], "repeated": 0, "id": 1268 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000090" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 1270 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001e8" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000b4" } ], "repeated": 0, "id": 1274 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000074" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000004c" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000006c" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000070" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2026-06-28 21:56:23,744", "thread_id": "1140", "caller": "0x7ff6573e1a94", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 1279 } ], "threads": [ "1140", "3860", "3152", "2016", "1996", "2796", "3796", "4356" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "systeminfo ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6573d0000", "MainExeSize": "0x0001f000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 756, "process_name": "svchost.exe", "parent_id": 632, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2026-06-28 21:56:15,225", "calls": [ { "timestamp": "2026-06-28 21:56:17,694", "thread_id": "3624", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000ca8" }, { "name": "TargetProcessHandle", "value": "0x00000c24" }, { "name": "TargetHandle", "value": "0x00000ca8" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-28 21:56:17,694", "thread_id": "1176", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000ed4" }, { "name": "TargetProcessHandle", "value": "0x00000c24" }, { "name": "TargetHandle", "value": "0x00000ed4" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-28 21:56:17,694", "thread_id": "1176", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000880" }, { "name": "TargetProcessHandle", "value": "0x00000c24" }, { "name": "TargetHandle", "value": "0x00000880" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-28 21:56:17,694", "thread_id": "3624", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000c28" }, { "name": "TargetProcessHandle", "value": "0x00000c24" }, { "name": "TargetHandle", "value": "0x00000c28" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-28 21:56:18,022", "thread_id": "3624", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000880" }, { "name": "TargetProcessHandle", "value": "0x00000c28" }, { "name": "TargetHandle", "value": "0x00000880" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-28 21:56:18,803", "thread_id": "3624", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000880" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-28 21:56:21,038", "thread_id": "848", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c24" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-28 21:56:21,038", "thread_id": "848", "caller": "0x7ff9a8494796", "parentcaller": "0x7ff9a849466e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ad4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e54240000" }, { "name": "SectionOffset", "value": "0x36abffd4b0" }, { "name": "ViewSize", "value": "0x0007a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-28 21:56:21,038", "thread_id": "848", "caller": "0x7ff9a8438e73", "parentcaller": "0x7ff9a84363c3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad4" }, { "name": "ThreadHandle", "value": "0x00000c28" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "140707423587124" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-28 21:56:22,616", "thread_id": "848", "caller": "0x7ff9a84363c3", "parentcaller": "0x7ff9aa3edb20", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" }, { "name": "CreationFlags", "value": "0x00000010", "pretty_value": "CREATE_NEW_CONSOLE" }, { "name": "ProcessId", "value": "2868" }, { "name": "ThreadId", "value": "3472" }, { "name": "ProcessHandle", "value": "0x00000ad4" }, { "name": "ThreadHandle", "value": "0x00000c28" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-28 21:56:28,788", "thread_id": "848", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c24" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-28 21:56:29,225", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000c24" }, { "name": "TargetProcessHandle", "value": "0x00000e40" }, { "name": "TargetHandle", "value": "0x00000c24" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-28 21:56:29,225", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000e40" }, { "name": "TargetProcessHandle", "value": "0x00000c24" }, { "name": "TargetHandle", "value": "0x00000e40" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-28 21:56:29,225", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000880" }, { "name": "TargetProcessHandle", "value": "0x00000534" }, { "name": "TargetHandle", "value": "0x00000880" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-28 21:56:29,522", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000534" }, { "name": "TargetProcessHandle", "value": "0x00000880" }, { "name": "TargetHandle", "value": "0x00000534" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-28 21:56:29,522", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000c24" }, { "name": "TargetProcessHandle", "value": "0x00000e40" }, { "name": "TargetHandle", "value": "0x00000c24" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-28 21:56:29,522", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000880" }, { "name": "TargetProcessHandle", "value": "0x00000534" }, { "name": "TargetHandle", "value": "0x00000880" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-28 21:56:29,756", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000534" }, { "name": "TargetProcessHandle", "value": "0x00000880" }, { "name": "TargetHandle", "value": "0x00000534" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-28 21:56:29,756", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000e40" }, { "name": "TargetProcessHandle", "value": "0x00000c24" }, { "name": "TargetHandle", "value": "0x00000e40" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-28 21:56:29,756", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000880" }, { "name": "TargetProcessHandle", "value": "0x00000534" }, { "name": "TargetHandle", "value": "0x00000880" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-28 21:56:30,210", "thread_id": "1176", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a84632e1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ff9a7170000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-28 21:56:31,460", "thread_id": "1176", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000ed4" }, { "name": "TargetProcessHandle", "value": "0x00000ad4" }, { "name": "TargetHandle", "value": "0x00000ed4" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-28 21:56:38,788", "thread_id": "848", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ed4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-28 21:56:45,788", "thread_id": "3624", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a84632e1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ff9a7170000" } ], "repeated": 1, "id": 23 }, { "timestamp": "2026-06-28 21:56:48,803", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000880" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-28 21:56:53,053", "thread_id": "844", "caller": "0x7ff9a8438e73", "parentcaller": "0x7ff9a84363c3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000864" }, { "name": "ThreadHandle", "value": "0x00000880" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\DllHost.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "140707423590016" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-28 21:56:53,178", "thread_id": "844", "caller": "0x7ff9a84363c3", "parentcaller": "0x7ff9aa3edb20", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\DllHost.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "CreationFlags", "value": "0x00000410", "pretty_value": "CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT" }, { "name": "ProcessId", "value": "5760" }, { "name": "ThreadId", "value": "4664" }, { "name": "ProcessHandle", "value": "0x00000864" }, { "name": "ThreadHandle", "value": "0x00000880" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-28 21:56:58,803", "thread_id": "848", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-28 21:57:08,803", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e5c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-28 21:57:14,303", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000d9c" }, { "name": "TargetProcessHandle", "value": "0x000006ac" }, { "name": "TargetHandle", "value": "0x00000d9c" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-28 21:57:18,803", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d9c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-28 21:57:22,522", "thread_id": "844", "caller": "0x7ff9a60622bd", "parentcaller": "0x7ff9a5e5d529", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000e5c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000864" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-28 21:57:22,522", "thread_id": "844", "caller": "0x7ff9a60622bd", "parentcaller": "0x7ff9a5e5d529", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000e5c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000ef4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-28 21:57:22,522", "thread_id": "844", "caller": "0x7ff9a5e57c24", "parentcaller": "0x7ff9a5e57d25", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000ef4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000ad4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-28 21:57:22,553", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a60ef0c8", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000540" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000071c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-28 21:57:22,553", "thread_id": "848", "caller": "0x7ff9a8438e73", "parentcaller": "0x7ff9a84363c3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008a4" }, { "name": "ThreadHandle", "value": "0x0000081c" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" }, { "name": "CommandLine", "value": "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe\" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca" }, { "name": "DllPath", "value": "C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy;" }, { "name": "ProcessId", "value": "140707423588696" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-28 21:57:22,616", "thread_id": "6012", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000d14" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-28 21:57:26,210", "thread_id": "848", "caller": "0x7ff9a84363c3", "parentcaller": "0x7ff9aa3edb20", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" }, { "name": "CommandLine", "value": "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe\" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca" }, { "name": "CreationFlags", "value": "0x00080414", "pretty_value": "CREATE_SUSPENDED|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "4440" }, { "name": "ThreadId", "value": "4536" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x000008a4" }, { "name": "ThreadHandle", "value": "0x0000081c" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-28 21:57:28,069", "thread_id": "848", "caller": "0x7ff9a612d1c9", "parentcaller": "0x7ff9a60f23f4", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000081c" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "4536" }, { "name": "ProcessId", "value": "4440" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-28 21:57:28,803", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ad4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-28 21:57:29,241", "thread_id": "844", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000864" }, { "name": "TargetProcessHandle", "value": "0x00000ad4" }, { "name": "TargetHandle", "value": "0x00000864" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "1176", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000033c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-3262678163-160926255-2192883574-1002.pckgdep" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "1176", "caller": "0x7ff9a846b39a", "parentcaller": "0x7ff9a846b6a8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000864" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "1176", "caller": "0x7ff9a846b6e9", "parentcaller": "0x7ff9a846b7fa", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "1176", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-18.pckgdep" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "2648", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000864" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-3262678163-160926255-2192883574-1002.pckgdep" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "2648", "caller": "0x7ff9a846b39a", "parentcaller": "0x7ff9a846b6a8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000033c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "2648", "caller": "0x7ff9a846b6e9", "parentcaller": "0x7ff9a846b7fa", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "2648", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000edc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-3262678163-160926255-2192883574-1002.pckgdep" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "2648", "caller": "0x7ff9a846b39a", "parentcaller": "0x7ff9a846b6a8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000008ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-28 21:57:29,631", "thread_id": "2648", "caller": "0x7ff9a846b6e9", "parentcaller": "0x7ff9a846b7fa", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-28 21:57:29,647", "thread_id": "2648", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008ac" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-3262678163-160926255-2192883574-1002.pckgdep" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-28 21:57:29,647", "thread_id": "2648", "caller": "0x7ff9a846b39a", "parentcaller": "0x7ff9a846b6a8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000efc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-28 21:57:29,647", "thread_id": "2648", "caller": "0x7ff9a846b6e9", "parentcaller": "0x7ff9a846b7fa", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-28 21:57:29,647", "thread_id": "2648", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000efc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-3262678163-160926255-2192883574-1002.pckgdep" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-28 21:57:29,647", "thread_id": "2648", "caller": "0x7ff9a846b39a", "parentcaller": "0x7ff9a846b6a8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000008ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-28 21:57:29,647", "thread_id": "2648", "caller": "0x7ff9a846b6e9", "parentcaller": "0x7ff9a846b7fa", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x22e53d90000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-28 21:57:38,803", "thread_id": "1176", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000efc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-28 21:57:48,803", "thread_id": "1176", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d60" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-28 21:57:54,553", "thread_id": "1176", "caller": "0x7ff9a8438e73", "parentcaller": "0x7ff9a84363c3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000864" }, { "name": "ThreadHandle", "value": "0x00000edc" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\DllHost.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "140707423588160" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-28 21:57:54,944", "thread_id": "1176", "caller": "0x7ff9a84363c3", "parentcaller": "0x7ff9aa3edb20", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\DllHost.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "CreationFlags", "value": "0x00000410", "pretty_value": "CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT" }, { "name": "ProcessId", "value": "3904" }, { "name": "ThreadId", "value": "4108" }, { "name": "ProcessHandle", "value": "0x00000864" }, { "name": "ThreadHandle", "value": "0x00000edc" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-28 21:57:58,788", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000efc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-28 21:58:08,803", "thread_id": "3624", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d60" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-28 21:58:18,803", "thread_id": "3624", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ca8" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-28 21:58:20,850", "thread_id": "848", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a5f6c100", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000c4c" }, { "name": "TargetProcessHandle", "value": "0x00000a74" }, { "name": "TargetHandle", "value": "0x00000c4c" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-28 21:58:28,803", "thread_id": "3624", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000b54" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-28 21:58:38,788", "thread_id": "848", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c4c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 2, "id": 66 }, { "timestamp": "2026-06-28 21:59:08,788", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000864" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-28 21:59:18,788", "thread_id": "3624", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000b54" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-28 21:59:28,803", "thread_id": "844", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000864" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 69 } ], "threads": [ "3624", "1176", "848", "844", "6012", "2648" ], "environ": { "UserName": "SYSTEM", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff69d480000", "MainExeSize": "0x00011000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 3036, "process_name": "svchost.exe", "parent_id": 632, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2026-06-28 21:56:17,336", "calls": [ { "timestamp": "2026-06-28 21:56:17,929", "thread_id": "4924", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000644" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-28 21:56:17,929", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-28 21:56:17,929", "thread_id": "4924", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a19f359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ff98ba90000" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-28 21:56:17,929", "thread_id": "4924", "caller": "0x7ff9a19f35f7", "parentcaller": "0x7ff9a96ca55e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-28 21:56:19,445", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-28 21:56:19,445", "thread_id": "4924", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a19f359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ff98ba90000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-28 21:56:19,445", "thread_id": "4924", "caller": "0x7ff9a19f35f7", "parentcaller": "0x7ff9a96ca55e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-28 21:56:19,461", "thread_id": "1400", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-28 21:56:19,461", "thread_id": "1400", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-28 21:56:19,461", "thread_id": "1400", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 9 }, { "timestamp": "2026-06-28 21:56:19,492", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006f0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-28 21:56:19,492", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006fc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-28 21:56:19,492", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-28 21:56:19,492", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-28 21:56:19,492", "thread_id": "1400", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "1400", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "1400", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 \\x92\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006c8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a96d879f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006b0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4924", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006ac" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4708", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006a8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "2064", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986affb3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "2064", "caller": "0x7ff99dc3b02d", "parentcaller": "0x7ff99dc3a607", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 28 }, { "timestamp": "2026-06-28 21:56:19,507", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-28 21:56:19,523", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 30 }, { "timestamp": "2026-06-28 21:56:19,570", "thread_id": "4924", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-28 21:56:19,570", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\\x05\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-28 21:56:19,570", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xa0\\x05\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-28 21:56:19,570", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-28 21:56:19,586", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006d8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000070c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-28 21:56:19,586", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006d8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000704" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-28 21:56:19,586", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-28 21:56:19,586", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-28 21:56:19,586", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-28 21:56:19,586", "thread_id": "2192", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "4924", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00`\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "4924", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 \\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000700" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000704" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-28 21:56:19,601", "thread_id": "2192", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "2192", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "2192", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x05\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "2192", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000714" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000720" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000714" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006d0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-28 21:56:20,882", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "2192", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\xa1\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "2192", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006f0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000728" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006f0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006d0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-28 21:56:20,898", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-28 21:56:20,914", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "2192", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\xcb\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "2192", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006fc" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006f0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000006fc" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000720" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-28 21:56:20,929", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-28 21:56:20,945", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-28 21:56:20,976", "thread_id": "2192", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-28 21:56:20,976", "thread_id": "2192", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a19f359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ff98ba90000" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-28 21:56:20,976", "thread_id": "2192", "caller": "0x7ff9a19f35f7", "parentcaller": "0x7ff9a96ca55e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-28 21:56:20,976", "thread_id": "2192", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 85 }, { "timestamp": "2026-06-28 21:56:20,976", "thread_id": "2192", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff98baa778d", "parentcaller": "0x7ff9986af3e9", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 93 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000714" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000704" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00`'\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00`(\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-28 21:56:20,992", "thread_id": "2192", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x82\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-28 21:56:21,007", "thread_id": "2192", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 \\x82\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-28 21:56:21,007", "thread_id": "2192", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\\x82\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-28 21:56:21,007", "thread_id": "2192", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-28 21:56:21,007", "thread_id": "2064", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-28 21:56:21,023", "thread_id": "2064", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-28 21:56:21,023", "thread_id": "2064", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-28 21:56:21,023", "thread_id": "4228", "caller": "0x7ff99e312508", "parentcaller": "0x7ff99e314a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 7, "id": 104 }, { "timestamp": "2026-06-28 21:56:21,023", "thread_id": "4228", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x96\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-28 21:56:22,742", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-28 21:56:22,742", "thread_id": "4924", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a19f359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ff98ba90000" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-28 21:56:22,742", "thread_id": "4924", "caller": "0x7ff9a19f35f7", "parentcaller": "0x7ff9a96ca55e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "4924", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "4924", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "4924", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "2064", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "2064", "caller": "0x7ff9986b9ec9", "parentcaller": "0x7ff9986ab42b", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F87137D-0E7C-44D5-8C73-4EFFB68962F2" }, { "name": "ClsContext", "value": "0x00090004", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_ENABLE_AAA|CLSCTX_ACTIVATE_64_BIT_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "2064", "caller": "0x7ff9986b4e9b", "parentcaller": "0x7ff9986b6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 114 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "2064", "caller": "0x7ff98baa778d", "parentcaller": "0x7ff9986acae0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 115 }, { "timestamp": "2026-06-28 21:56:22,757", "thread_id": "2064", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 116 }, { "timestamp": "2026-06-28 21:56:22,773", "thread_id": "2064", "caller": "0x7ff9986b4e9b", "parentcaller": "0x7ff9986b6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 117 }, { "timestamp": "2026-06-28 21:56:22,773", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 118 }, { "timestamp": "2026-06-28 21:56:22,773", "thread_id": "4228", "caller": "0x7ff99e312508", "parentcaller": "0x7ff99e314a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 7, "id": 119 }, { "timestamp": "2026-06-28 21:56:22,773", "thread_id": "4924", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-28 21:56:22,773", "thread_id": "4924", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-28 21:56:22,804", "thread_id": "2064", "caller": "0x7ff9986b4e9b", "parentcaller": "0x7ff9986b6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-28 21:56:22,804", "thread_id": "2064", "caller": "0x7ff99dc3b02d", "parentcaller": "0x7ff99dc3a607", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-28 21:56:22,804", "thread_id": "2064", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986f9da8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-28 21:56:22,804", "thread_id": "2064", "caller": "0x7ff99dc3b02d", "parentcaller": "0x7ff99dc3a607", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 125 }, { "timestamp": "2026-06-28 21:56:22,804", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-28 21:56:22,820", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-28 21:56:22,820", "thread_id": "4924", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-28 21:56:22,820", "thread_id": "4924", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-28 21:56:22,820", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 \\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000754" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000700" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000754" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000072c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2192", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 135 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2192", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2192", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-28 21:56:22,836", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x0c\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x0f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000754" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000704" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006f0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000714" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000730" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000708" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000720" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000076c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000744" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "4704", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986affb3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 152 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "4704", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006cc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "4704", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "4704", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000718" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "4708", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 156 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "4364", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006ac" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-28 21:56:22,898", "thread_id": "1724", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 158 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4364", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 159 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4704", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000704" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000076c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4704", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000704" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000778" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "2064", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986affb3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 162 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "2064", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 163 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4364", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4708", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4364", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4708", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "4708", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 (\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-28 21:56:22,914", "thread_id": "2064", "caller": "0x7ff99e312508", "parentcaller": "0x7ff99e314a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 7, "id": 170 }, { "timestamp": "2026-06-28 21:56:22,929", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00`\\x1d\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-28 21:56:22,929", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 \\x1e\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-28 21:56:22,929", "thread_id": "2064", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 \r\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-28 21:56:22,929", "thread_id": "4708", "caller": "0x7ff9986b4e9b", "parentcaller": "0x7ff9986ba210", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-28 21:56:22,929", "thread_id": "4708", "caller": "0x7ff98baa778d", "parentcaller": "0x7ff9986acae0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 175 }, { "timestamp": "2026-06-28 21:56:22,929", "thread_id": "4708", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 176 }, { "timestamp": "2026-06-28 21:56:22,945", "thread_id": "4708", "caller": "0x7ff9986b4e9b", "parentcaller": "0x7ff9986b6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 177 }, { "timestamp": "2026-06-28 21:56:22,945", "thread_id": "4364", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 178 }, { "timestamp": "2026-06-28 21:56:22,945", "thread_id": "2064", "caller": "0x7ff99e312508", "parentcaller": "0x7ff99e314a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 7, "id": 179 }, { "timestamp": "2026-06-28 21:56:22,945", "thread_id": "4364", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-28 21:56:22,945", "thread_id": "4364", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4708", "caller": "0x7ff9986b4e9b", "parentcaller": "0x7ff9986b6a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4708", "caller": "0x7ff99dc3b02d", "parentcaller": "0x7ff99dc3a607", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4708", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986affb3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4708", "caller": "0x7ff99dc3b02d", "parentcaller": "0x7ff99dc3a607", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 185 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4364", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 186 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\\x1a\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x0f\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-28 21:56:22,976", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xa0\\x06\\x01\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-28 21:56:22,992", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 '\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-28 21:56:22,992", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xa0\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-28 21:56:22,992", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\\x1e\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-28 21:56:22,992", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\INDEX.BTR" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\\x1e\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-28 21:56:22,992", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\\x13\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-28 21:56:23,039", "thread_id": "4364", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 195 }, { "timestamp": "2026-06-28 21:56:23,054", "thread_id": "4924", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-28 21:56:23,054", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000074c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000075c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-28 21:56:23,054", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000074c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000072c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-28 21:56:23,054", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-28 21:56:23,054", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-28 21:56:23,054", "thread_id": "4924", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-28 21:56:23,304", "thread_id": "2192", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-28 21:56:23,304", "thread_id": "2192", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-28 21:56:23,320", "thread_id": "2192", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-28 21:56:23,320", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000738" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000764" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-28 21:56:23,320", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000738" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000748" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-28 21:56:23,320", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-28 21:56:23,320", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-28 21:56:23,320", "thread_id": "2192", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-28 21:56:23,336", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00`\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xa0\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xc0\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xe0\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00 \\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00@\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-28 21:56:23,414", "thread_id": "4364", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986c1fb1", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-28 21:56:23,429", "thread_id": "4364", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-28 21:56:23,429", "thread_id": "4364", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a96d879f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000708" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-28 21:56:23,429", "thread_id": "1724", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-28 21:56:23,445", "thread_id": "1724", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-28 21:56:23,461", "thread_id": "4364", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-28 21:56:23,461", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000758" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000076c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-28 21:56:23,461", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000758" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000700" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-28 21:56:23,461", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-28 21:56:23,461", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-28 21:56:23,461", "thread_id": "4364", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-28 21:56:23,461", "thread_id": "1724", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-28 21:56:29,164", "thread_id": "4364", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-28 21:56:29,164", "thread_id": "4364", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a19f359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ff98ba90000" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-28 21:56:29,164", "thread_id": "4364", "caller": "0x7ff9a19f35f7", "parentcaller": "0x7ff9a96ca55e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-28 21:56:29,179", "thread_id": "1724", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-28 21:56:29,179", "thread_id": "1724", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-28 21:56:29,179", "thread_id": "1724", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-28 21:56:29,179", "thread_id": "2064", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-28 21:56:29,195", "thread_id": "2064", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-28 21:56:29,195", "thread_id": "2064", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-28 21:56:29,195", "thread_id": "2064", "caller": "0x7ff98baa778d", "parentcaller": "0x7ff9986af3e9", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 243 }, { "timestamp": "2026-06-28 21:56:29,195", "thread_id": "4228", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000072c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000074c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-28 21:56:29,195", "thread_id": "4228", "caller": "0x7ff9a849430b", "parentcaller": "0x7ff9a0d2adf8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000030c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\wbem\\Repository\\OBJECTS.DATA" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\xa0[\\x01\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-28 21:56:29,195", "thread_id": "2064", "caller": "0x7ff9986add6a", "parentcaller": "0x7ff9986ad989", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 8, "id": 246 }, { "timestamp": "2026-06-28 21:56:29,195", "thread_id": "2064", "caller": "0x7ff9986b7e1d", "parentcaller": "0x7ff9986b7a50", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "EAC8A024-21E2-4523-AD73-A71A0AA2F56A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "81166F58-DD98-11D3-A120-00105A1F515A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000075c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003ec" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000075c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000744" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "1724", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "1724", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000408" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000798" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000408" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000754" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-28 21:56:29,211", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-28 21:56:29,226", "thread_id": "1724", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-28 21:56:29,226", "thread_id": "1724", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a19f359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ff98ba90000" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff9a19f35f7", "parentcaller": "0x7ff9a96ca55e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff9986b3a1a", "parentcaller": "0x7ff98baa9bfb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff9a0f4387e", "parentcaller": "0x7ff98baa9cb7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000730" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000414" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000730" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002e8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "1724", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000075c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000748" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "2064", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a0f3c16c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000075c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000750" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "4228", "caller": "0x7ff9986b2823", "parentcaller": "0x7ff9986b978f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "4228", "caller": "0x7ff99dc3aaaf", "parentcaller": "0x7ff99dc3a9c8", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-28 21:56:29,742", "thread_id": "4924", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-28 21:56:29,757", "thread_id": "1724", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc1d725", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-28 21:56:29,757", "thread_id": "1724", "caller": "0x7ff98baa8eb0", "parentcaller": "0x7ff9a9c68e33", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CC9072AB-C000-49D8-A5AA-00266C8DBB9B" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "368732C2-80D8-403E-854B-1B2BAFB9842C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-28 21:57:09,242", "thread_id": "3676", "caller": "0x7ff69d484140", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-28 21:57:09,242", "thread_id": "3676", "caller": "0x7ff69d484140", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-28 21:57:09,242", "thread_id": "3676", "caller": "0x7ff69d484140", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-28 21:57:12,586", "thread_id": "4132", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004a8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-28 21:57:21,023", "thread_id": "1724", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a96d879f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004c0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-28 21:57:51,039", "thread_id": "3676", "caller": "0x7ff69d484140", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\ES" }, { "name": "DllBase", "value": "0x7ff9a3040000" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-28 21:57:51,039", "thread_id": "3676", "caller": "0x7ff69d484140", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a3040000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 288 } ], "threads": [ "4924", "1400", "2064", "4228", "4708", "2192", "4704", "4364", "1724", "3676", "4132" ], "environ": { "UserName": "SYSTEM", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff69d480000", "MainExeSize": "0x00011000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 2868, "process_name": "WmiPrvSE.exe", "parent_id": 756, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "first_seen": "2026-06-29 12:44:15,963", "calls": [ { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "336", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535747000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fe8469", "parentcaller": "0x7ff712fe7f6c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535748000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712feca74", "parentcaller": "0x7ff712fec74d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712feca74", "parentcaller": "0x7ff712fec74d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000020c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712feca74", "parentcaller": "0x7ff712fec74d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000210" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5375a0000" }, { "name": "SectionOffset", "value": "0x1d4089f7d0" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec96b", "parentcaller": "0x7ff712fec762", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\USER32.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec96b", "parentcaller": "0x7ff712fec762", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53574a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec99f", "parentcaller": "0x7ff712fec762", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\USER32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec99f", "parentcaller": "0x7ff712fec762", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000218" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535c80000" }, { "name": "SectionOffset", "value": "0x1d4089ec50" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rpcss.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000021c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00148000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378e0000" }, { "name": "RegionSize", "value": "0x00148000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000220" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000224" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000224" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-29 12:44:16,026", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000022c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec378", "parentcaller": "0x7ff712feb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53574b000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec5a5", "parentcaller": "0x7ff712feb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535751000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec5a5", "parentcaller": "0x7ff712feb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535752000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec60b", "parentcaller": "0x7ff712feb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec60b", "parentcaller": "0x7ff712feb501", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec2ca", "parentcaller": "0x7ff712feb513", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000274" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535cb0000" }, { "name": "SectionOffset", "value": "0x1d4089fc00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1b9", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535d27000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1b9", "parentcaller": "0x7ff712feb518", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x1e535d21790" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 9, "id": 25 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1b9", "parentcaller": "0x7ff712feb518", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000290", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a4243ca0" }, { "name": "Parameter", "value": "0x1e5357521d0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3348" }, { "name": "ProcessId", "value": "2868" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378e0000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378e0000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53575a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378e2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378e3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53575b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53575c000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378e6000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53575f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535760000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712fec1ff", "parentcaller": "0x7ff712feb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378eb000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-29 12:44:16,041", "thread_id": "3472", "caller": "0x7ff712feb555", "parentcaller": "0x7ff712fec77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ff97fc40000" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3472", "caller": "0x7ff712feb555", "parentcaller": "0x7ff712fec77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemprox.dll" }, { "name": "BaseAddress", "value": "0x7ff97fc40000" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3472", "caller": "0x7ff712feb555", "parentcaller": "0x7ff712fec77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F811-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "4232", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535769000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3504", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53576e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3504", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53576f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3504", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002c8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3504", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535770000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3472", "caller": "0x7ff712feb5bc", "parentcaller": "0x7ff712fec77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3472", "caller": "0x7ff712feb5bc", "parentcaller": "0x7ff712fec77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3472", "caller": "0x7ff712feb5bc", "parentcaller": "0x7ff712fec77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ff97fc20000" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3472", "caller": "0x7ff712feb5bc", "parentcaller": "0x7ff712fec77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemsvc.dll" }, { "name": "BaseAddress", "value": "0x7ff97fc20000" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-29 12:44:16,057", "thread_id": "3472", "caller": "0x7ff712feb5bc", "parentcaller": "0x7ff712fec77a", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "8BC3F05E-D86B-11D0-A075-00C04FB68820" }, { "name": "ClsContext", "value": "0x00000014", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3472", "caller": "0x7ff712feb5bc", "parentcaller": "0x7ff712fec77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\fastprox.dll" }, { "name": "BaseAddress", "value": "0x7ff99dc10000" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3472", "caller": "0x7ff712feb5bc", "parentcaller": "0x7ff712fec77a", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3472", "caller": "0x7ff712fedafb", "parentcaller": "0x7ff712feb615", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 53 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3472", "caller": "0x7ff712feb1d8", "parentcaller": "0x7ff712feb33c", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002e8", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff712feb120" }, { "name": "Parameter", "value": "0x1e535774a40" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3548" }, { "name": "ProcessId", "value": "2868" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3472", "caller": "0x7ff712fea124", "parentcaller": "0x7ff712feb77b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535777000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3472", "caller": "0x7ff712fea124", "parentcaller": "0x7ff712feb77b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53577a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3504", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3504", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53577e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3504", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3504", "caller": "0x7ff99dc3b02d", "parentcaller": "0x7ff99dc3a607", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 60 }, { "timestamp": "2026-06-29 12:44:16,072", "thread_id": "3504", "caller": "0x7ff712fef038", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wmiutils" }, { "name": "DllBase", "value": "0x7ff99e310000" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "3504", "caller": "0x7ff712fef038", "parentcaller": "0x00000000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wmiutils.dll" }, { "name": "BaseAddress", "value": "0x7ff99e310000" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "3504", "caller": "0x7ff712fef038", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "3504", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a96d879f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000314" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "4716", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000320" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "4716", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "4716", "caller": "0x7ff712fe1cb2", "parentcaller": "0x7ff712fe1a68", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000328" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "4716", "caller": "0x7ff712fe1cb2", "parentcaller": "0x7ff712fe1a68", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "4716", "caller": "0x7ff712fe4e98", "parentcaller": "0x7ff712fe1ab3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "4716", "caller": "0x7ff712fe4ef3", "parentcaller": "0x7ff712fe1ab3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535784000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-29 12:44:16,088", "thread_id": "4716", "caller": "0x7ff712fe4ef3", "parentcaller": "0x7ff712fe1ab3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535787000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-29 12:44:16,104", "thread_id": "4716", "caller": "0x7ff712fe56cb", "parentcaller": "0x7ff712fe5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\USERENV" }, { "name": "DllBase", "value": "0x7ff9a7f80000" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-29 12:44:16,104", "thread_id": "4716", "caller": "0x7ff712fe56cb", "parentcaller": "0x7ff712fe5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ff9a6e00000" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-29 12:44:16,104", "thread_id": "4716", "caller": "0x7ff712fe56cb", "parentcaller": "0x7ff712fe5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\esscli" }, { "name": "DllBase", "value": "0x7ff9a0da0000" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-29 12:44:16,104", "thread_id": "4716", "caller": "0x7ff712fe56cb", "parentcaller": "0x7ff712fe5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\stdprov" }, { "name": "DllBase", "value": "0x7ff99e3d0000" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "4716", "caller": "0x7ff712fe56cb", "parentcaller": "0x7ff712fe5514", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "API-MS-Win-Security-Base-L1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "4716", "caller": "0x7ff712fe56cb", "parentcaller": "0x7ff712fe5514", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\stdprov.dll" }, { "name": "BaseAddress", "value": "0x7ff99e3d0000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "4716", "caller": "0x7ff712fe56cb", "parentcaller": "0x7ff712fe5514", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "4716", "caller": "0x7ff712fe998d", "parentcaller": "0x7ff712fe899b", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "4716", "caller": "0x7ff712fee7c7", "parentcaller": "0x7ff712fee590", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53578c000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "4716", "caller": "0x7ff99dc3a740", "parentcaller": "0x7ff99dc3a3e5", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000036c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53578f000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff712fef72f", "parentcaller": "0x00000000", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000378" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff99dc3b02d", "parentcaller": "0x7ff9a96f0d30", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff712fe98d2", "parentcaller": "0x7ff712ff089f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535794000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff712ff0cac", "parentcaller": "0x7ff712ff08df", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e5378f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff712ff0daf", "parentcaller": "0x7ff712ff08df", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-29 12:44:16,119", "thread_id": "2128", "caller": "0x7ff712ff0daf", "parentcaller": "0x7ff712ff08df", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e535796000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-29 12:45:19,401", "thread_id": "4232", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000368" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fecedd", "parentcaller": "0x7ff712fe9d3e", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000038c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53578a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\stdprov" }, { "name": "DllBase", "value": "0x7ff99e3d0000" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\USERENV" }, { "name": "DllBase", "value": "0x7ff9a7f80000" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a7f80000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ff9a6e00000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\esscli" }, { "name": "DllBase", "value": "0x7ff9a0da0000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a0da0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e3d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ff97fc20000" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff97fc20000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ff97fc40000" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff97fc40000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wmiutils" }, { "name": "DllBase", "value": "0x7ff99e310000" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3548", "caller": "0x7ff712fe9d51", "parentcaller": "0x7ff712fecf09", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99e310000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3472", "caller": "0x7ff712feb7e8", "parentcaller": "0x7ff712fec77a", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000002e8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000384" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3472", "caller": "0x7ff712feb852", "parentcaller": "0x7ff712fec77a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53574a000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3472", "caller": "0x7ff712feb852", "parentcaller": "0x7ff712fec77a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1e53575e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-29 12:45:44,354", "thread_id": "3472", "caller": "0x7ff712ff274f", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-29 12:45:44,369", "thread_id": "3472", "caller": "0x7ff712ff274f", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 113 } ], "threads": [ "336", "3472", "4232", "3504", "4716", "2128", "3548" ], "environ": { "UserName": "LOCAL SERVICE", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff712fe0000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 5432, "process_name": "notepad.exe", "parent_id": 2108, "module_path": "C:\\Windows\\System32\\notepad.exe", "first_seen": "2026-06-29 12:44:18,171", "calls": [ { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e48d9", "parentcaller": "0x7ff9aa3e3b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e4a50", "parentcaller": "0x7ff9aa3e3b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000214" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e49bd", "parentcaller": "0x7ff9aa3e3b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000218" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b4f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3de7a0", "parentcaller": "0x7ff9aa3e4cfd", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000021c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3de7f0", "parentcaller": "0x7ff9aa3e4cfd", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000021c" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3de818", "parentcaller": "0x7ff9aa3e4cfd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e51b2", "parentcaller": "0x7ff9aa3e4dcf", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "HandleName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e4c33", "parentcaller": "0x7ff9aa3e462e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e4c3a", "parentcaller": "0x7ff9aa3e462e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e462e", "parentcaller": "0x7ff9aa3e3b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b4f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e2a0e", "parentcaller": "0x7ff9940b3a63", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "ThemePropScrollBarCtl" }, { "name": "Atom", "value": "0x0000c01b" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aa3e2a0e", "parentcaller": "0x7ff9940b3a7d", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "MicrosoftTabletPenServiceProperty" }, { "name": "Atom", "value": "0x0000c01c" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9940b3bbc", "parentcaller": "0x7ff9940b3aed", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001022" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9940b3afb", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "LPK" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9940b3b13", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "GDI32" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9940b3b2e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "LpkEditControl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3c4720" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9940b3b2e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32" }, { "name": "BaseAddress", "value": "0x7ff994050000" }, { "name": "InitRoutine", "value": "0x7ff9940e9e80" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5436", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff737de5a30" }, { "name": "Parameter", "value": "0x2e2b693000" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5556", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-29 12:44:18,312", "thread_id": "5556", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62f10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de5842", "parentcaller": "0x7ff737de590b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b538000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de6079", "parentcaller": "0x7ff737de590b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de60ac", "parentcaller": "0x7ff737de590b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a8430000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa59e60" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de60c0", "parentcaller": "0x7ff737de590b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a8430000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a849ce10" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de60d4", "parentcaller": "0x7ff737de590b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a8430000" }, { "name": "FunctionName", "value": "WakeAllConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa453d0" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de5899", "parentcaller": "0x7ff737de592c", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff737de6710" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc657c", "parentcaller": "0x7ff737dc74e7", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc6599", "parentcaller": "0x7ff737dc74e7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa9f93b0" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc3e47", "parentcaller": "0x7ff737dc6a71", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f9b0" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc6aee", "parentcaller": "0x7ff737dc65e2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa32450" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5552", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5552", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a63070" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc3dba", "parentcaller": "0x7ff737dc4975", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc480d", "parentcaller": "0x7ff737dc6cb5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa4cb70" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc3d2b", "parentcaller": "0x7ff737dc706a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc78b9", "parentcaller": "0x7ff737dc68d3", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" }, { "name": "MutexName", "value": "Local\\SM0:5432:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc78e7", "parentcaller": "0x7ff737dc68d3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5548", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dc304b", "parentcaller": "0x7ff737dc7989", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5548", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62e50" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de55d5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5544", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b53a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de55d5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5544", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5544", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62a40" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1c0", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x1690b512348", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5436" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000228" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000234" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\r\\x1d?\\xc7\\xcb\\x87q\\x0b5#\\xe9b\\xf1o\\x81!\\x9dt(\\xff\\x9b\\xb0\\xf9x\\xfe\\xf3\\x8e\\xfes\\xe4\"\\x92\\xd3?/H\\xa4sh\\x8a\\x99\\x17\n\\xbe*\\x87\\x91r" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc1d6", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000240" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000244" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000240" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000244" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a603f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b53b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "InitRoutine", "value": "0x7ff9a6033f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b53d000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-29 12:44:18,327", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a5b50000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a5b50000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a5b57ce0" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xe7Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000214" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737dcc215", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CLSIDFromOle1Class" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97680a0" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000250" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xefZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x80\\xefZ+.\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000250" }, { "name": "MutexName", "value": "Local\\SM0:5432:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b4f0000" }, { "name": "SectionOffset", "value": "0x2e2b5aefc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x0000025c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" }, { "name": "ValueName", "value": "Com+Enabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "clbcatq.dll" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a96a4000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" }, { "name": "EventName", "value": "\\KernelObjects\\MaximumCommitCondition" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\clbcatq" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "InitRoutine", "value": "0x7ff9a961d990" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\WindowsRuntime" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000264" }, { "name": "ObjectAttributesName", "value": "ActivatableClassId" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000268" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Resources.Core.ResourceManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000026c" }, { "name": "KeyInformation", "value": "\\xff8aX\\x17\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00n\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00s\\x00.\\x00C\\x00o\\x00r\\x00e\\x00.\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\x00\\x00[g\\xffb5w\\xffd1\\xffc4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00H\\xffecZ+.\\x00\\x00\\x00\\xffebi\\xffb5w\\xffd1\\xffc4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffb0S\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00`\\xff94S\\x0bi\\x01\\x00\\x00\\xff90\\xffecZ+.\\x00\\x00\\x00\\xffa4L\\xffa2\\xff86\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffffd\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffcd$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\xffe8#\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00`\\xff94S\\x0bi\\x01\\x00\\x00\\xffc8\\xffd5\\xffc4\\xff86\\xfff9\\x7f\\x00\\x00\\x19\\x01\\x02\\x00i\\x01\\x00\\x00\\xff98$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff80$\\xffc5\\xff86\\xfff9\\x7f\\x00\\x00\\xff80\\xffecZ+.\\x00\\x00\\x00h\\xffd9\\xffc4\\xff86\\xfff9\\x7f\\x00\\x00\\xff90\\xffecZ+.\\x00\\x00\\x00\\xffa0\\xff94S\\x0bi\\x01\\x00\\x00\\xffc0\\xffddr\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\x10\\xffeeZ+.\\x00\\x00\\x00`\\xff94S\\x0bi\\x01\\x00\\x00\\xffe0\\xffb0S\\x0bi\\x01\\x00\\x00\\xff80CQ\\x0bi\\x01\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x00\\xffbc\\xff94S\\x0bi\\x01\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffecZ+.\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xff82S\\x0bi\\x01\\x00\\x00\\xfff2\\xffd0r\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivationType" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Server" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\MrmCoreR.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\DllPath" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Threading" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\TrustLevel" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000026c" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\CustomAttributes" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\RemoteServer" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateAsUser" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Permissions" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE\\Diagnosis" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xedZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00i\\x01\\x00\\x00@\\xefZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\xa6\\x89]\\x03|\\x00\\x00\\xa1[\\xa1\\xaa\\xf9\\x7f\\x00\\x00\\x009\\xd4\\x91\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000026c" }, { "name": "SubKey", "value": "Software\\Classes" }, { "name": "Handle", "value": "0x00000270" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x00000274" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000274" }, { "name": "ValueName", "value": "MaxSxSHashCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-29 12:44:18,343", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MrmCoreR" }, { "name": "DllBase", "value": "0x7ff9a06e0000" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\MrmCoreR.dll" }, { "name": "BaseAddress", "value": "0x7ff9a06e0000" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a06e0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\MrmCoreR.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a06e0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a071e5b0" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a06e0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a071dea0" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a06e0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a071ebc0" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e35", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a07ce000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa9f93b0" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f9b0" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa32450" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa4cb70" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" }, { "name": "MutexName", "value": "Local\\SM0:5432:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 218 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 221 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b549000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 225 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 230 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 233 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\resources.pri" } ], "repeated": 1, "id": 236 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" }, { "name": "MutexName", "value": "Local\\SM0:5432:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737de4e5e", "parentcaller": "0x7ff737dcc22f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 6, "id": 242 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd3085", "parentcaller": "0x7ff737dd3e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b54a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd3e7e", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1690b460760", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "Type", "value": "#9" }, { "name": "Name", "value": "GlobalAcc" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd3e7e", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1690b4629dc", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "ResourceInfo", "value": "0x1690b460760" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd3e9b", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1690b460770", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "Type", "value": "#9" }, { "name": "Name", "value": "MainAcc" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd3e9b", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1690b462a7c", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "ResourceInfo", "value": "0x1690b460770" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1690cee0818", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#2" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1690cef96d8", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "ResourceInfo", "value": "0x1690cee0818" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1690cee07e8", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#11" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1690cef7840", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "ResourceInfo", "value": "0x1690cee07e8" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde404", "parentcaller": "0x7ff737dd3ed7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde449", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1690cee0818", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#2" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde449", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1690cef96d8", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "ResourceInfo", "value": "0x1690cee0818" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde449", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1690cee0808", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#13" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dde449", "parentcaller": "0x7ff737dd3ed7", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1690cef9270", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "ResourceInfo", "value": "0x1690cee0808" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dc9090", "parentcaller": "0x7ff737dd3f06", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dc9090", "parentcaller": "0x7ff737dd3f06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dc9090", "parentcaller": "0x7ff737dd3f06", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dc9090", "parentcaller": "0x7ff737dd3f06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dc9090", "parentcaller": "0x7ff737dd3f06", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dc9090", "parentcaller": "0x7ff737dd3f06", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dc9090", "parentcaller": "0x7ff737dd3f06", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd26e3", "parentcaller": "0x7ff737dd3f10", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Notepad" }, { "name": "Handle", "value": "0x00000294" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2710", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfEscapement" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfEscapement" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd272b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfOrientation" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOrientation" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2746", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfWeight" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfWeight" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2760", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfItalic" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfItalic" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd277a", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfUnderline" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfUnderline" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2794", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfStrikeOut" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfStrikeOut" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd27ae", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfCharSet" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfCharSet" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd27c8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfOutPrecision" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOutPrecision" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd27e2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfClipPrecision" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfClipPrecision" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd27fc", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfQuality" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfQuality" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2816", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfPitchAndFamily" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfPitchAndFamily" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd2844", "parentcaller": "0x7ff737dd3f10", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Notepad\\DefaultFonts" }, { "name": "Handle", "value": "0x00000298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Notepad\\DefaultFonts" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd21ef", "parentcaller": "0x7ff737dd2871", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "lfFaceName" }, { "name": "Data", "value": "Consolas" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2885", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "ValueName", "value": "iPointSize" }, { "name": "Data", "value": "110" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd2893", "parentcaller": "0x7ff737dd3f10", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd21ef", "parentcaller": "0x7ff737dd28bc", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "lfFaceName" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfFaceName" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd28d0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iPointSize" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iPointSize" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd28ea", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fWrap" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrap" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2974", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iDefaultEncoding" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iDefaultEncoding" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd29f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "StatusBar" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\StatusBar" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2a12", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fSaveWindowPositions" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fSaveWindowPositions" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd2117", "parentcaller": "0x7ff737dd2a23", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fWindowsOnlyEOL" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWindowsOnlyEOL" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd2117", "parentcaller": "0x7ff737dd2a3a", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fPasteOriginalEOL" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fPasteOriginalEOL" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd2117", "parentcaller": "0x7ff737dd2a51", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fReverse" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fReverse" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd2117", "parentcaller": "0x7ff737dd2a6b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fWrapAround" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrapAround" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd2117", "parentcaller": "0x7ff737dd2a85", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fMatchCase" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMatchCase" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd21ef", "parentcaller": "0x7ff737dd2ab2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "searchString" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\searchString" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd21ef", "parentcaller": "0x7ff737dd2ad1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "replaceString" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\replaceString" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd21ef", "parentcaller": "0x7ff737dd2af5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "szHeader" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szHeader" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd21ef", "parentcaller": "0x7ff737dd2b14", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "szTrailer" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szTrailer" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2b2c", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iMarginTop" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginTop" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2b4a", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iMarginBottom" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginBottom" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2b68", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iMarginLeft" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginLeft" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2b86", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iMarginRight" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginRight" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2ba5", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iWindowPosY" }, { "name": "Data", "value": "182" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosY" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-29 12:44:18,359", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2bbf", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iWindowPosX" }, { "name": "Data", "value": "182" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosX" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2bd9", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iWindowPosDX" }, { "name": "Data", "value": "1080" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDX" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2bf3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "iWindowPosDY" }, { "name": "Data", "value": "624" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDY" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737dd209f", "parentcaller": "0x7ff737dd2c0d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "ValueName", "value": "fMLE_is_broken" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMLE_is_broken" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737dd2c24", "parentcaller": "0x7ff737dd3f10", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de7042", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de7042", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de0bee", "parentcaller": "0x7ff737dde657", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\Wldp" }, { "name": "DllBase", "value": "0x7ff9a7a90000" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de0bee", "parentcaller": "0x7ff737dde657", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de0bee", "parentcaller": "0x7ff737dde657", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de0bee", "parentcaller": "0x7ff737dde657", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de0bee", "parentcaller": "0x7ff737dde657", "category": "filesystem", "api": "SHGetKnownFolderPath", "status": true, "return": "0x00000000", "arguments": [ { "name": "FolderID", "value": "F1B32785-6FBA-4FCF-9D55-7B8E7F157091" }, { "name": "Flags", "value": "0x00000000" }, { "name": "Path", "value": "C:\\Users\\Rajesh\\AppData\\Local" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de16b3", "parentcaller": "0x7ff737dd3f70", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf30000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737de16b3", "parentcaller": "0x7ff737dd3f70", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x1690b4606b0", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "Type", "value": "#4" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-29 12:44:18,374", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "LoadResource", "status": true, "return": "0x1690b4608a0", "arguments": [ { "name": "Module", "value": "0x7ff737dc0000" }, { "name": "ResourceInfo", "value": "0x1690b4606b0" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002d0" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSCTF.dll" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9a10000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00115000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aed000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aec000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9aec000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\x00G\\x00I\\x00S\\x00\\x02\\x00\\x00\\x00Y\\x00\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00I\\x00N\\x00E\\x00\\\\x00\\x02\\x00\\x00\\x00f\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00M\\x00i\\x00c\\x00\\x02\\x00\\x00\\x00s\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00n\\x00d\\x00o\\x00\\x02\\x00\\x00\\x00R\\x00u\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x7ff9a9a10000" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msctf" }, { "name": "BaseAddress", "value": "0x7ff9a9a10000" }, { "name": "InitRoutine", "value": "0x7ff9a9a51520" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dd3fcb", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000298" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\2\\Windows\\ThemeSection" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000298" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf40000" }, { "name": "SectionOffset", "value": "0x2e2b5acbf0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002e8" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Windows\\Theme4054054479" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002e4" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\2\\Windows\\Theme738112361" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf40000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002e8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690e8a0000" }, { "name": "SectionOffset", "value": "0x2e2b5ad310" }, { "name": "ViewSize", "value": "0x000e2000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002e4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf40000" }, { "name": "SectionOffset", "value": "0x2e2b5ad310" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa9f93b0" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f9b0" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa32450" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa4cb70" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b54c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "MutexName", "value": "Local\\SM0:5432:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd3fcb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690ea82000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf50000" }, { "name": "RegionSize", "value": "0x0000d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf50000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690ea84000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690ea85000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b54e000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-29 12:44:18,390", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b553000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" }, { "name": "Handle", "value": "0x000002ec" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ec" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "67" }, { "name": "MaxValueNameLength", "value": "27" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b558000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Lucida Sans Unicode" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lucida Sans Unicode" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "Microsoft Sans Serif" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft Sans Serif" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "2" }, { "name": "ValueName", "value": "Tahoma" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Tahoma" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "3" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "4" }, { "name": "ValueName", "value": "Segoe UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Bold" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "5" }, { "name": "ValueName", "value": "Segoe UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Light" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "6" }, { "name": "ValueName", "value": "Segoe UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semilight" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "7" }, { "name": "ValueName", "value": "Segoe UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semibold" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "8" }, { "name": "ValueName", "value": "Ebrima" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "9" }, { "name": "ValueName", "value": "Ebrima Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima Bold" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "10" }, { "name": "ValueName", "value": "Gadugi" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "11" }, { "name": "ValueName", "value": "Gadugi Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi Bold" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "12" }, { "name": "ValueName", "value": "Khmer UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "13" }, { "name": "ValueName", "value": "Khmer UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI Bold" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "14" }, { "name": "ValueName", "value": "Lao UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "15" }, { "name": "ValueName", "value": "Lao UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI Bold" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "16" }, { "name": "ValueName", "value": "Leelawadee" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "17" }, { "name": "ValueName", "value": "Leelawadee Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee Bold" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "18" }, { "name": "ValueName", "value": "Leelawadee UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "19" }, { "name": "ValueName", "value": "Leelawadee UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI Bold" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "20" }, { "name": "ValueName", "value": "Nirmala UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "21" }, { "name": "ValueName", "value": "Nirmala UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Bold" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "22" }, { "name": "ValueName", "value": "Nirmala UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Semilight" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "23" }, { "name": "ValueName", "value": "MingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "24" }, { "name": "ValueName", "value": "PMingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "25" }, { "name": "ValueName", "value": "MingLiU_HKSCS" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "26" }, { "name": "ValueName", "value": "MingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU-ExtB" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "27" }, { "name": "ValueName", "value": "PMingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU-ExtB" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "28" }, { "name": "ValueName", "value": "MingLiU_HKSCS-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS-ExtB" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "29" }, { "name": "ValueName", "value": "Microsoft JhengHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "30" }, { "name": "ValueName", "value": "Microsoft JhengHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei Bold" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "31" }, { "name": "ValueName", "value": "Microsoft JhengHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "32" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Bold" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "33" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Light" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "34" }, { "name": "ValueName", "value": "SimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "35" }, { "name": "ValueName", "value": "SimSun-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun-ExtB" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "36" }, { "name": "ValueName", "value": "NSimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\NSimSun" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "37" }, { "name": "ValueName", "value": "Microsoft YaHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "38" }, { "name": "ValueName", "value": "Microsoft YaHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei Bold" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "39" }, { "name": "ValueName", "value": "Microsoft YaHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "40" }, { "name": "ValueName", "value": "Microsoft YaHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Bold" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "41" }, { "name": "ValueName", "value": "Microsoft YaHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Light" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "42" }, { "name": "ValueName", "value": "Yu Gothic UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "43" }, { "name": "ValueName", "value": "Yu Gothic UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Bold" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "44" }, { "name": "ValueName", "value": "Yu Gothic UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Light" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "45" }, { "name": "ValueName", "value": "Yu Gothic UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semilight" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "46" }, { "name": "ValueName", "value": "Yu Gothic UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semibold" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "47" }, { "name": "ValueName", "value": "Meiryo" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "48" }, { "name": "ValueName", "value": "Meiryo Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo Bold" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "49" }, { "name": "ValueName", "value": "Meiryo UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "50" }, { "name": "ValueName", "value": "Meiryo UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI Bold" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "51" }, { "name": "ValueName", "value": "MS Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Gothic" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "52" }, { "name": "ValueName", "value": "MS PGothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PGothic" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "53" }, { "name": "ValueName", "value": "MS UI Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS UI Gothic" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "54" }, { "name": "ValueName", "value": "MS Mincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Mincho" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "55" }, { "name": "ValueName", "value": "MS PMincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PMincho" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "56" }, { "name": "ValueName", "value": "Batang" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Batang" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "57" }, { "name": "ValueName", "value": "BatangChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\BatangChe" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "58" }, { "name": "ValueName", "value": "Dotum" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Dotum" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "59" }, { "name": "ValueName", "value": "DotumChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\DotumChe" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "60" }, { "name": "ValueName", "value": "Gulim" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gulim" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "61" }, { "name": "ValueName", "value": "GulimChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GulimChe" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "62" }, { "name": "ValueName", "value": "Gungsuh" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gungsuh" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "63" }, { "name": "ValueName", "value": "GungsuhChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GungsuhChe" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "64" }, { "name": "ValueName", "value": "Malgun Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "65" }, { "name": "ValueName", "value": "Malgun Gothic Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Bold" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "66" }, { "name": "ValueName", "value": "Malgun Gothic Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Semilight" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumValueW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Index", "value": "67" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "0", "pretty_value": "REG_NONE" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b55b000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" }, { "name": "Handle", "value": "0x000002ec" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "ValueName", "value": "Disable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "ValueName", "value": "DataFilePath" }, { "name": "Data", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-29 12:44:18,406", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002ec" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002ec" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002ec" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "Buffer", "value": "\\x1a\\x83W\\xa5\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00$\\x01\\x00\\x00$)\\x00\\x00\\x00\\x00\\x02\\x00\\xbe\\x02\\x00\\x00<\\x00\\x00\\x00$!\\x00\\x00L)\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "60" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002ec" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690f0d0000" }, { "name": "SectionOffset", "value": "0x2e2b5aaca0" }, { "name": "ViewSize", "value": "0x01260000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b562000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b55a000" }, { "name": "RegionSize", "value": "0x0001c000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "TextShaping.dll" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002f8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002f8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff998f00000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000ac000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff998f4f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff998f4f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff998f4f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff998f4f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff998f4f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff998f4f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\TextShaping" }, { "name": "DllBase", "value": "0x7ff998f00000" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\TextShaping" }, { "name": "BaseAddress", "value": "0x7ff998f00000" }, { "name": "InitRoutine", "value": "0x7ff998f4a760" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8286000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8286000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b55a000" }, { "name": "RegionSize", "value": "0x0001c000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b561000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b55a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b556000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b556000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x000002f8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane2" }, { "name": "Data", "value": "SimSun-ExtB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-29 12:44:18,421", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane11" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane12" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane13" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane14" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane15" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Plane16" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x000002f8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "4" }, { "name": "MaxSubKeyLength", "value": "13" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "MingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "MingLiU_HKSCS" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU_HKSCS" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "PMingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\PMingLiU" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "SimSun" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\SimSun" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002f8" }, { "name": "SubKey", "value": "Segoe UI" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dcbb57", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000268" }, { "name": "ObjectAttributesName", "value": "Windows.Security.EnterpriseData.ProtectionPolicyManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f8" }, { "name": "KeyInformation", "value": "5s\\x06\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00n\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00c\\x00u\\x00r\\x00i\\x00t\\x00y\\x00.\\x00E\\x00n\\x00t\\x00e\\x00r\\x00p\\x00r\\x00i\\x00s\\x00e\\x00D\\x00a\\x00t\\x00a\\x00.\\x00P\\x00r\\x00o\\x00t\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00P\\x00o\\x00l\\x00i\\x00c\\x00y\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\x00\\x00\\x18\\x00\n\\x00\\x00\\x00\\x00\\x00\\xffbc\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\xfffdR\\x0bi\\x01\\x00\\x00y\\xffd9Z+.\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc7\\xffb3\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\xffe0\\x13?\\x0bi\\x01\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00?\\x0bi\\x01\\x00\\x00\\xffc4\\x02?\\x0bi\\x01\\x00\\x00\\x1cCT\\x0bi\\x01\\x00\\x00XU\\xff9b\\xffa9\\xfff9\\x7f\\x00\\x00\\x18>T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xffdaZ+.\\x00\\x00\\x00\\xff98kp\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00 \\xffb2S\\x0bi\\x01\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\xfff0=T\\x0bi\\x01\\x00\\x00 \\xffb2S\\x0bi\\x01\\x00\\x00\\xffd0yS\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x03Q\\x0b\\x02\\x00\\x00\\x00\\xffa6Ap\\xffa9\\xfff9\\x7f\\x00\\x00\\xfff0pU\\x0bi\\x01\\x00\\x00\\xffd0yS\\x0bi\\x01\\x00\\x00\\xff90oT\\x0bi\\x01\\x00\\x00\\xff90oT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffb2S\\x0bi\\x01\\x00\\x00\\xff90oT\\x0bi\\x01\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00\\xffb0\\xffb9T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\xffb9T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00@\\xffdbZ+.\\x00\\x00\\x00\\xffa1Ep\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b55a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivationType" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Server" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "%SystemRoot%\\system32\\windows.storage.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\DllPath" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Threading" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\TrustLevel" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002f8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\CustomAttributes" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\RemoteServer" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateAsUser" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Permissions" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "BaseAddress", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a6230000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\windows.storage.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a6230000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a6331ee0" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a6230000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a63b2b80" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a6230000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a63b9c50" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 544 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a699a000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a699a000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000268" }, { "name": "ObjectAttributesName", "value": "Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f8" }, { "name": "KeyInformation", "value": "\\xffb0\\xffa6%\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00c\\x00u\\x00r\\x00i\\x00t\\x00y\\x00.\\x00E\\x00n\\x00t\\x00e\\x00r\\x00p\\x00r\\x00i\\x00s\\x00e\\x00D\\x00a\\x00t\\x00a\\x00.\\x00P\\x00r\\x00o\\x00t\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00P\\x00o\\x00l\\x00i\\x00c\\x00y\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00P\\x00r\\x00i\\x00v\\x00a\\x00t\\x00e\\x00P\\x00T\\x00\\xffb0\\xfffdR\\x0bi\\x01\\x00\\x00I\\xffd9Z+.\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc7\\xffb3\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\xffe0\\x13?\\x0bi\\x01\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00?\\x0bi\\x01\\x00\\x00\\xffc4\\x02?\\x0bi\\x01\\x00\\x00LIT\\x0bi\\x01\\x00\\x00XU\\xff9b\\xffa9\\xfff9\\x7f\\x00\\x00\\xffe8@T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffdaZ+.\\x00\\x00\\x00\\xff98kp\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00`\\xff94U\\x0bi\\x01\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\xffc0@T\\x0bi\\x01\\x00\\x00`\\xff94U\\x0bi\\x01\\x00\\x00\\xff90xS\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x03Q\\x0b\\x02\\x00\\x00\\x00\\xffa6Ap\\xffa9\\xfff9\\x7f\\x00\\x00\\x10\\xffc9Q\\x0bi\\x01\\x00\\x00\\xff90xS\\x0bi\\x01\\x00\\x00\\x00pT\\x0bi\\x01\\x00\\x00\\x00pT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xff94U\\x0bi\\x01\\x00\\x00\\x00pT\\x0bi\\x01\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00\\x10\\xffc3T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffc3T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00\\x10\\xffdbZ+.\\x00\\x00\\x00\\xffa1Ep\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivationType" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Server" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\efswrt.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\DllPath" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Threading" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\TrustLevel" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002f8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\CustomAttributes" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\RemoteServer" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateAsUser" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInSharedBroker" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Permissions" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateOnHostFlags" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002f8" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\xddZ+.\\x00\\x00\\x00`\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\xff\\xff\\xff\\xff\\xc8\\xd5\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86\\xf9\\x7f\\x00\\x00(\\xdeZ+.\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\xb0F\\xa8\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MPR" }, { "name": "DllBase", "value": "0x7ff998030000" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 566 }, { "timestamp": "2026-06-29 12:44:18,437", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\efswrt" }, { "name": "DllBase", "value": "0x7ff987d80000" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\efswrt.dll" }, { "name": "BaseAddress", "value": "0x7ff987d80000" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff987d80000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\efswrt.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "efswrt.dll" }, { "name": "ModuleHandle", "value": "0x7ff987d80000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff987d85da0" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "efswrt.dll" }, { "name": "ModuleHandle", "value": "0x7ff987d80000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff987d85bc0" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "efswrt.dll" }, { "name": "ModuleHandle", "value": "0x7ff987d80000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff987d85b50" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000268" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Core.CoreApplication" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000330" }, { "name": "KeyInformation", "value": "\\xff8aX\\x17\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00Z\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00C\\x00o\\x00r\\x00e\\x00.\\x00C\\x00o\\x00r\\x00e\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xffb8\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x16\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\xffb6\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\xfffdR\\x0bi\\x01\\x00\\x00\\xfff9\\xffd7Z+.\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc7\\xffb3\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\xffe0\\x13?\\x0bi\\x01\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00?\\x0bi\\x01\\x00\\x00\\xffc4\\x02?\\x0bi\\x01\\x00\\x00\\x00\\x00?\\x0bi\\x01\\x00\\x00XU\\xff9b\\xffa9\\xfff9\\x7f\\x00\\x00\\xffa8GT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffd8Z+.\\x00\\x00\\x00\\xff98kp\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\xff80>T\\x0bi\\x01\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\xff80GT\\x0bi\\x01\\x00\\x00\\xff80>T\\x0bi\\x01\\x00\\x00\\x10xS\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xff94U\\x0b\\x02\\x00\\x00\\x00\\xffa6Ap\\xffa9\\xfff9\\x7f\\x00\\x00\\xffc0\\xffc6U\\x0bi\\x01\\x00\\x00\\x10xS\\x0bi\\x01\\x00\\x00\\xff90oT\\x0bi\\x01\\x00\\x00\\xff90oT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80>T\\x0bi\\x01\\x00\\x00\\xff90oT\\x0bi\\x01\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00\\xffc0\\xffc7T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffc7T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00\\xffc0\\xffd9Z+.\\x00\\x00\\x00\\xffa1Ep\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000330" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\CustomAttributes" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000330" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\twinapi.appcore" }, { "name": "DllBase", "value": "0x7ff9a10f0000" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" }, { "name": "BaseAddress", "value": "0x7ff9a10f0000" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a10f0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a10f0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a1142010" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a10f0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a113ead0" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a10f0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a114d8f0" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a12e3000" }, { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a12e3000" }, { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000350" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5672", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf07000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5672", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-29 12:44:18,452", "thread_id": "5672", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x1690b510b50" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a114f506", "parentcaller": "0x7ff9a11109df", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a97708cd", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000268" }, { "name": "ObjectAttributesName", "value": "Windows.Foundation.Collections.PropertySet" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a9770927", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "KeyInformation", "value": "<\\x1d\\x1c\\xffce}\\x07\\xffdd\\x01\\x00\\x00\\x00\\x00T\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00F\\x00o\\x00u\\x00n\\x00d\\x00a\\x00t\\x00i\\x00o\\x00n\\x00.\\x00C\\x00o\\x00l\\x00l\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00s\\x00.\\x00P\\x00r\\x00o\\x00p\\x00e\\x00r\\x00t\\x00y\\x00S\\x00e\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xffb8\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x12\\x00\n\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\xfffdR\\x0bi\\x01\\x00\\x00\\xff89\\xffec\\xffb7+.\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc7\\xffb3\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\xffe0\\x13?\\x0bi\\x01\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00?\\x0bi\\x01\\x00\\x00\\xffc4\\x02?\\x0bi\\x01\\x00\\x00\\x00\\x00?\\x0bi\\x01\\x00\\x00XU\\xff9b\\xffa9\\xfff9\\x7f\\x00\\x00\\xffb8CT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffed\\xffb7+.\\x00\\x00\\x00\\xff98kp\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00@\\xffc6U\\x0bi\\x01\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa1\\xffaa\\xfff9\\x7f\\x00\\x00\\xff90CT\\x0bi\\x01\\x00\\x00@\\xffc6U\\x0bi\\x01\\x00\\x00\\xffd0\\xff84S\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x01\\x00\\x00\\x00/V\\x0b\\x02\\x00\\x00\\x00\\xffa6Ap\\xffa9\\xfff9\\x7f\\x00\\x00@\\xffccU\\x0bi\\x01\\x00\\x00\\xffd0\\xff84S\\x0bi\\x01\\x00\\x00ppT\\x0bi\\x01\\x00\\x00ppT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xffc6U\\x0bi\\x01\\x00\\x00ppT\\x0bi\\x01\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00\\xffc0\\xffc7T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb7+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffc7T\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00P\\xffee\\xffb7+.\\x00\\x00\\x00\\xffa1Ep\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a97356ac", "parentcaller": "0x7ff9a979b1b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000364" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\CustomAttributes" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a976ab76", "parentcaller": "0x7ff9a976f113", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "BaseAddress", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a4dc0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a4dc0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a4dc95a0" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a4dc0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a4dc9100" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a4dc0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a4dd47c0" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a4efc000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a4efc000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a96de87e", "parentcaller": "0x7ff9a970ced5", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 628 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a1119434", "parentcaller": "0x7ff9a1118f96", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a11194af", "parentcaller": "0x7ff9a1118f96", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x803V\\x0bi\\x01\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xa83V\\x0bi\\x01\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc83V\\x0bi\\x01\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf0\\x19\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845ef7c", "parentcaller": "0x7ff9a845eb19", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 631 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845f960", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845f984", "parentcaller": "0x7ff9a845eb81", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\XAML" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\XAML" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e5d4", "parentcaller": "0x7ff9a115164d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "ValueName", "value": "OneCoreTransformsEnabledByDefault" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a845e608", "parentcaller": "0x7ff9a115164d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a970b7c6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5672", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000350" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000368" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000368" }, { "name": "ValueName", "value": "RaiseActivationAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000035a" }, { "name": "SubKey", "value": "AppID\\NOTEPAD.EXE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\NOTEPAD.EXE" } ], "repeated": 1, "id": 653 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000368" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000368" }, { "name": "ValueName", "value": "RaiseDefaultAuthnLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x00000368" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000368" }, { "name": "ValueName", "value": "DefaultAccessPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000036c" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\x9bS\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00c\\x00e\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00002100" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00001538" }, { "name": "EventName", "value": "MSFT.VSA.COM.DISABLE.5432" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.IEC.STATUS.6c736db0" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000035a" }, { "name": "SubKey", "value": "Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x00000376" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000376" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000037a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037a" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000376" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000378" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\rV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0\\x10V\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x97S\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "xpT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00{E\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x00\\xd3Z+.\\x00\\x00\\x00\\xf8\\xd2Z+.\\x00\\x00\\x00\\xc8\\xd2Z+.\\x00\\x00\\x00\\xe8\\xd2Z+" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00ppT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xd0Z+.\\x00\\x00\\x00x\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h\\x0fV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0\tV\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00W\\x00i\\x00n\\x00T\\x00y\\x00p\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8\\x98S\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8sT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x1bI\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00`\\xcfZ+.\\x00\\x00\\x00X\\xcfZ+.\\x00\\x00\\x00(\\xcfZ+.\\x00\\x00\\x00H\\xcfZ+" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0sT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xcdZ+.\\x00\\x00\\x00x\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000378" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000037c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1690b5376d0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "5680" }, { "name": "ProcessId", "value": "5432" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000037c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1690b5376d0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "5680" }, { "name": "ProcessId", "value": "5432" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000384" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h\\x03V\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\x0cV\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\xf9V\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-29 12:44:18,468", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8uT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xabA\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xd0\\xd6Z+.\\x00\\x00\\x00\\xc8\\xd6Z+.\\x00\\x00\\x00\\x98\\xd6Z+.\\x00\\x00\\x00\\xb8\\xd6Z+" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0uT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd4Z+.\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8\\x04V\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0\\x08V\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe8\\xfdV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "xpT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00KE\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x000\\xd3Z+.\\x00\\x00\\x00(\\xd3Z+.\\x00\\x00\\x00\\xf8\\xd2Z+.\\x00\\x00\\x00\\x18\\xd3Z+" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00ppT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xd1Z+.\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000037c" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\nV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90\\x07V\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00U\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00a\\x00j\\x00e\\x00s\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5680", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 737 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "x\\xfeV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5680", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1690b5376d0" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x88sT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xabA\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xd0\\xd6Z+.\\x00\\x00\\x00\\xc8\\xd6Z+.\\x00\\x00\\x00\\x98\\xd6Z+.\\x00\\x00\\x00\\xb8\\xd6Z+" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80sT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd4Z+.\\x00\\x00\\x00|\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8\\x03V\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\x05V\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xfdV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8rT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00KE\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x000\\xd3Z+.\\x00\\x00\\x00(\\xd3Z+.\\x00\\x00\\x00\\xf8\\xd2Z+.\\x00\\x00\\x00\\x18\\xd3Z+" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000rT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xd1Z+.\\x00\\x00\\x00|\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000384" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\rV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0\\x0bV\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\xffV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "HuT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xabA\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xd0\\xd6Z+.\\x00\\x00\\x00\\xc8\\xd6Z+.\\x00\\x00\\x00\\x98\\xd6Z+.\\x00\\x00\\x00\\xb8\\xd6Z+" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@uT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd4Z+.\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h\\x03V\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0\\x0cV\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xfaV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "xpT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00KE\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x000\\xd3Z+.\\x00\\x00\\x00(\\xd3Z+.\\x00\\x00\\x00\\xf8\\xd2Z+.\\x00\\x00\\x00\\x18\\xd3Z+" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00ppT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xd1Z+.\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000037c" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8\\x04V\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "p\\x0fV\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x88\\xfaV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8sT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xabA\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xd0\\xd6Z+.\\x00\\x00\\x00\\xc8\\xd6Z+.\\x00\\x00\\x00\\x98\\xd6Z+.\\x00\\x00\\x00\\xb8\\xd6Z+" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0sT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd4Z+.\\x00\\x00\\x00|\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8\\x08V\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90\\x10V\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00U\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00a\\x00j\\x00e\\x00s\\x00h\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00T\\x00e\\x00m\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8\\xfeV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 794 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8uT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00KE\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x000\\xd3Z+.\\x00\\x00\\x00(\\xd3Z+.\\x00\\x00\\x00\\xf8\\xd2Z+.\\x00\\x00\\x00\\x18\\xd3Z+" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0uT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xd1Z+.\\x00\\x00\\x00|\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5672", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000384" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000035a" }, { "name": "SubKey", "value": "Interface\\{C50898F6-C536-5F47-8583-8B2C2438A13B}" }, { "name": "Handle", "value": "0x00000392" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{C50898F6-C536-5F47-8583-8B2C2438A13B}" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000392" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000396" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{c50898f6-c536-5f47-8583-8b2c2438a13b}\\ProxyStubClsid32" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{c50898f6-c536-5f47-8583-8b2c2438a13b}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x00000392" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 810 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xbdZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00.\\x00\\x00\\x00p\\xbeZ+.\\x00\\x00\\x00" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000392" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000392" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 816 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Ptype_PSFactory" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000392" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000396" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocServer32" } ], "repeated": 0, "id": 819 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xbcZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\xbdZ+.\\x00\\x00\\x00" } ], "repeated": 0, "id": 827 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000392" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 831 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 832 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xbcZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\xbdZ+.\\x00\\x00\\x00" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 834 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 835 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000392" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 838 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x00000392" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 842 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xbaZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00.\\x00\\x00\\x000\\xbbZ+.\\x00\\x00\\x00" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000392" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 847 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000392" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 849 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Ptype_PSFactory" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000392" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000396" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocServer32" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-06-29 12:44:18,484", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 853 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xb8Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00.\\x00\\x00\\x00\\xc0\\xb9Z+.\\x00\\x00\\x00" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 860 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 861 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000392" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 862 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 864 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xb8Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00.\\x00\\x00\\x00\\xc0\\xb9Z+.\\x00\\x00\\x00" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 866 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000392" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 868 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000392" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer32" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000392" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 871 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xb8Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x92\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\xb9Z+.\\x00\\x00\\x00" } ], "repeated": 0, "id": 873 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer" } ], "repeated": 0, "id": 874 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000392" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 875 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000392" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x00000396" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 877 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000396" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\Elevation" } ], "repeated": 0, "id": 878 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000396" } ], "repeated": 0, "id": 879 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" } ], "repeated": 0, "id": 880 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000035a" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x00000392" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 881 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000392" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 882 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000392" } ], "repeated": 0, "id": 883 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 884 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 885 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 886 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 887 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000394" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 889 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h\\x0fV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0\\x0fV\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 891 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xfdV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 893 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "xpT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 895 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xfbC\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x80\\xd4Z+.\\x00\\x00\\x00x\\xd4Z+.\\x00\\x00\\x00H\\xd4Z+.\\x00\\x00\\x00h\\xd4Z+" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00ppT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00h\\xd2Z+.\\x00\\x00\\x00\\x94\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 897 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xce0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H\\x0bV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 899 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90\nV\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 901 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xfaV\\x0bi\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 903 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x88sT\\x0bi\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 904 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x9bG\\xb5w\\xd1\\xc4\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xe0\\xd0Z+.\\x00\\x00\\x00\\xd8\\xd0Z+.\\x00\\x00\\x00\\xa8\\xd0Z+.\\x00\\x00\\x00\\xc8\\xd0Z+" } ], "repeated": 0, "id": 905 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80sT\\x0bi\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xc8\\xceZ+.\\x00\\x00\\x00\\x94\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 906 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 907 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737de3ac5", "parentcaller": "0x7ff737dd4001", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 908 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 0, "id": 909 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff994050000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 910 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940d5680" } ], "repeated": 0, "id": 911 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32" }, { "name": "BaseAddress", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x16910330000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 913 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x16910330000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99429a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 915 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99429a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 916 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 917 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99429a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 919 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99429a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 921 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 923 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 924 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9aa3c7000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 925 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 926 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000398" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 927 }, { "timestamp": "2026-06-29 12:44:18,499", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 928 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll.Config" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 929 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 930 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 931 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff994050000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 933 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf70000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 935 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "HIMAGELIST_QueryInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940cfa30" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "DrawShadowText" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99414d0d0" } ], "repeated": 0, "id": 937 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "DrawSizeBox" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940df790" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "DrawScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940c0d30" } ], "repeated": 0, "id": 939 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "SizeBoxHwnd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940c52e0" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "ScrollBar_MouseMove" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9941422d0" } ], "repeated": 0, "id": 941 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "ScrollBar_Menu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9941420e0" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "HandleScrollCmd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff994142040" } ], "repeated": 0, "id": 943 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "DetachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff994052450" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "AttachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940c7160" } ], "repeated": 0, "id": 945 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "CCSetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940c2240" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "CCGetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940dbcd0" } ], "repeated": 0, "id": 947 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "CCEnableScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff994052840" } ], "repeated": 0, "id": 948 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "QuerySystemGestureStatus" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9941420a0" } ], "repeated": 0, "id": 949 }, { "timestamp": "2026-06-29 12:44:18,515", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 950 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000068" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 951 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000006c" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 952 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 0, "id": 953 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000026" }, { "name": "uiParam", "value": "0x00000004" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000103e" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 955 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001042" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000001b" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 957 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99429a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 958 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99429a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 959 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000394" }, { "name": "MutexName", "value": "Local\\SM0:5432:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 961 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 962 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 963 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 964 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 965 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 967 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 969 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000394" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 970 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000394" }, { "name": "ValueName", "value": "TurnOffSPIAnimations" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations" } ], "repeated": 0, "id": 971 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000039c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 973 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000039c" }, { "name": "ValueName", "value": "TurnOffSPIAnimations" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations" } ], "repeated": 0, "id": 974 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 975 }, { "timestamp": "2026-06-29 12:44:18,531", "thread_id": "5436", "caller": "0x7ff737dd41b3", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690ea87000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-06-29 12:44:18,546", "thread_id": "5436", "caller": "0x7ff737de2479", "parentcaller": "0x7ff737dd3a21", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\oleacc" }, { "name": "DllBase", "value": "0x7ff992900000" } ], "repeated": 0, "id": 977 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de2479", "parentcaller": "0x7ff737dd3a21", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\oleacc.dll" }, { "name": "BaseAddress", "value": "0x7ff992900000" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de2479", "parentcaller": "0x7ff737dd3a21", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "OLEAUT32.DLL" }, { "name": "BaseAddress", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 979 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de2479", "parentcaller": "0x7ff737dd3a21", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "B5F8350B-0548-48B1-A6EE-88BD00B4A5E7" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "6E26E776-04F0-495D-80E4-3330352E3169" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99295d000" }, { "name": "ModuleName", "value": "oleacc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 981 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99295d000" }, { "name": "ModuleName", "value": "oleacc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a95f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 983 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a95f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b3e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 985 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99295d000" }, { "name": "ModuleName", "value": "oleacc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99295d000" }, { "name": "ModuleName", "value": "oleacc.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 987 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd3a21", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "MSAA_*FCFFFFFF00000000" }, { "name": "Atom", "value": "0x0000c043" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737dd425a", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 0, "id": 989 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737dd425a", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff994050000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737dd425a", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ff994050000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9940d5680" } ], "repeated": 0, "id": 991 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737dd425a", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 992 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd4270", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0b3f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 993 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737de24be", "parentcaller": "0x7ff737dd4270", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "MSAA_*FCFFFFFF00000000" }, { "name": "Atom", "value": "0x0000c043" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737dd3adb", "parentcaller": "0x7ff737dd42a3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 995 }, { "timestamp": "2026-06-29 12:44:18,562", "thread_id": "5436", "caller": "0x7ff737dd3adb", "parentcaller": "0x7ff737dd42a3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 996 }, { "timestamp": "2026-06-29 12:44:18,577", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 997 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 999 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\NOTEPAD.EXE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\NOTEPAD.EXE" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9239000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "ChangeWindowMessageFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "message", "value": "49245" }, { "name": "dwFlag", "value": "1" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "ChangeWindowMessageFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "message", "value": "49246" }, { "name": "dwFlag", "value": "1" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 1, "id": 1010 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "MutexName", "value": "Local\\MSCTF.Asm.MutexDefault2" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1013 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "Milliseconds", "value": "2000" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\CTF.AsmListCache.FMPDefault2" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000394" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf80000" }, { "name": "SectionOffset", "value": "0x2e2b5acc20" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b57a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf80000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\NOTEPAD.EXE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\NOTEPAD.EXE" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1023 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "8192" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "MutexName", "value": "CicLoadWinStaWinSta0" } ], "repeated": 0, "id": 1025 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "MutexName", "value": "Local\\MSCTF.CtfMonitorInstMutexDefault2" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1029 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "ValueName", "value": "LaunchUserOOBE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1037 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003a8" }, { "name": "ValueName", "value": "LaunchUserOOBE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE" } ], "repeated": 0, "id": 1040 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa9f93b0" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f9b0" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa32450" } ], "repeated": 0, "id": 1045 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa4cb70" } ], "repeated": 0, "id": 1047 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "MutexName", "value": "Local\\SM0:5432:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1051 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1053 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 1056 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 1057 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000001" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1061 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "textinputframework.dll" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2026-06-29 12:44:18,593", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\textinputframework.dll" } ], "repeated": 0, "id": 1063 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\textinputframework.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b8" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000003b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextInputFramework.dll" } ], "repeated": 0, "id": 1065 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bc00000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000f9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcba000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1068 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcba000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1069 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcba000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcba000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcba000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreUIComponents.dll" } ], "repeated": 0, "id": 1073 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreMessaging.dll" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 1075 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" } ], "repeated": 0, "id": 1077 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000003b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5490000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0035e000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a579f000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1081 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a564a000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a564a000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a564a000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a564a000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a564a000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "ntmarta.dll" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreMessaging.dll" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b57c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000003b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a57f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000f2000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5886000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5886000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5886000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5886000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5886000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1103 }, { "timestamp": "2026-06-29 12:44:18,609", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" } ], "repeated": 0, "id": 1104 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000003b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e00000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00033000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e30000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e24000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e24000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e24000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e24000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e24000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1115 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcba000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a5886000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6e24000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a564a000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x17T\\x0bi\\x01\\x00\\x00\\x02\\x00\\x00\\x00i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x00e\\x00s\\x00s\\x00" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ff9a6e00000" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x7ff9a57f0000" } ], "repeated": 0, "id": 1123 }, { "timestamp": "2026-06-29 12:44:18,624", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x7ff9a5490000" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2026-06-29 12:44:18,640", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x7ff99bc00000" } ], "repeated": 0, "id": 1125 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b57d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\ntmarta" }, { "name": "BaseAddress", "value": "0x7ff9a6e00000" }, { "name": "InitRoutine", "value": "0x7ff9a6e06930" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1127 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\CoreMessaging" }, { "name": "BaseAddress", "value": "0x7ff9a57f0000" }, { "name": "InitRoutine", "value": "0x7ff9a5847480" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf08000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1129 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\CoreUIComponents" }, { "name": "BaseAddress", "value": "0x7ff9a5490000" }, { "name": "InitRoutine", "value": "0x7ff9a5512fe0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1130 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\TextInputFramework" }, { "name": "BaseAddress", "value": "0x7ff99bc00000" }, { "name": "InitRoutine", "value": "0x7ff99bc3e070" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1131 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1133 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\" }, { "name": "Handle", "value": "0x000003e8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003e8" }, { "name": "ValueName", "value": "EnableAnchorContext" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext" } ], "repeated": 0, "id": 1135 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf09000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1137 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dd4455", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1138 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd4455", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "USER32" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 1139 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd4455", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff9aa760000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#32512" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcbb57", "parentcaller": "0x7ff737dd4455", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff9aa760000" }, { "name": "Type", "value": "#22" }, { "name": "Name", "value": "#32512" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1141 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcba89", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 4, "id": 1142 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dd4455", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1143 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dd4455", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dd4455", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2026-06-29 12:44:18,656", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dd4455", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 4, "id": 1146 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737dd2e33", "parentcaller": "0x7ff737dd459b", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x1690b560ae0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "FirstCreateTimeLow", "value": "0xf0c08d74" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737dd2e48", "parentcaller": "0x7ff737dd459b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737dd45ca", "parentcaller": "0x7ff737dcc29e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737dd0f8f", "parentcaller": "0x7ff737dd46c5", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x000003b4" }, { "name": "HandleName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "FileInformationClass", "value": "18", "pretty_value": "FileAllInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "urlmon.dll" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" } ], "repeated": 0, "id": 1153 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000394" }, { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f930000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x001eb000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1156 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fac4000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fa73000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fa73000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fa73000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fa73000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fa72000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "iertutil.dll" } ], "repeated": 0, "id": 1163 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "srvcli.dll" } ], "repeated": 0, "id": 1164 }, { "timestamp": "2026-06-29 12:44:18,671", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "netutils.dll" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1167 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" } ], "repeated": 0, "id": 1168 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000394" }, { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f680000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x002b0000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1171 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f915000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1172 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f7d4000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f7d4000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f7d4000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f7d4000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f7d3000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000394" }, { "name": "FileName", "value": "C:\\Windows\\System32\\srvcli.dll" } ], "repeated": 0, "id": 1182 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f650000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00028000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f675000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f664000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f664000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1186 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f664000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1187 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f664000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f664000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1191 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000394" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000394" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000390" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1197 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1199 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 1201 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000394" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f7d3000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1203 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfb\\xf9\\xf6\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x88\\x84\\x81\\xff\\x02\\x00\\x00\\x00\\xfb\\xf9\\xf6\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8d\\x93O\\xff\\x8b\\x96Q\\xff\\x02\\x00\\x00\\x00\\x88\\x9bT\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\xa3Y\\xff\\x7f\\xa5[\\xff\\x02\\x00\\x00\\x00\\xd1\\xbd\\xbc\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcb\\xcb\\xcb\\xff\\xcb\\xcb\\xcb\\xff\\x02\\x00\\x00\\x00\\xcb\\xcb\\xcb\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf7\\xf8\\xf9\\xff\\xf7\\xf8\\xf9\\xff\\x02\\x00\\x00\\x00\\xf7\\xf8\\xf9\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x84\\x81\\xff\\x00\\x00\\x00&\\x02\\x00\\x00\\x00\\x88\\x84\\x81\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\xbd\\xbc\\xff\\x91\\x8cK\\xff\\x02\\x00\\x00\\x00\\x8e\\x92N\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x89\\x9aS\\xff\\x87\\x9dU\\xff" } ], "repeated": 0, "id": 1204 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f664000" }, { "name": "ModuleName", "value": "srvcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fa72000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1206 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b57f000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfb\\xf9\\xf6\\xff\\xc0\\xddQ\\x0bi\\x01\\x00\\x00<\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfb\\xf9\\xf6\\xff\\x80\\xc8Q\\x0bi\\x01\\x00\\x00\\xa8\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x9bT\\xff\\xf0BQ\\x0bi\\x01\\x00\\x00\\xac\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xd1\\xbd\\xbc\\xff0\\x8aQ\\x0bi\\x01\\x00\\x00\\xb0\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xcb\\xcb\\xcb\\xffPNQ\\x0bi\\x01\\x00\\x00\\xb4\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xf7\\xf8\\xf9\\xffp\\xb3S\\x0bi\\x01\\x00\\x00(\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x84\\x81\\xff\\xb0\\xdaV\\x0bi\\x01\\x00\\x000\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x8e\\x92N\\xff\\x90\\xebV\\x0bi\\x01\\x00\\x004\\x16\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a75f6000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\iertutil" }, { "name": "DllBase", "value": "0x7ff99f680000" } ], "repeated": 0, "id": 1210 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\srvcli" }, { "name": "DllBase", "value": "0x7ff99f650000" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\netutils" }, { "name": "DllBase", "value": "0x7ff9a75f0000" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\urlmon" }, { "name": "DllBase", "value": "0x7ff99f930000" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2026-06-29 12:44:18,687", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 5, "id": 1214 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlIsMultiSessionSku" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa30200" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\iertutil" }, { "name": "BaseAddress", "value": "0x7ff99f680000" }, { "name": "InitRoutine", "value": "0x7ff99f6b71b0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters" }, { "name": "Handle", "value": "0x000003f0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "RpcCacheTimeout" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\LanmanWorkstation\\Parameters\\RpcCacheTimeout" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\srvcli" }, { "name": "BaseAddress", "value": "0x7ff99f650000" }, { "name": "InitRoutine", "value": "0x7ff99f652110" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\netutils" }, { "name": "BaseAddress", "value": "0x7ff9a75f0000" }, { "name": "InitRoutine", "value": "0x7ff9a75f1ce0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlIsMultiSessionSku" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa30200" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fac4000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99fac4000" }, { "name": "ModuleName", "value": "urlmon.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\urlmon" }, { "name": "BaseAddress", "value": "0x7ff99f930000" }, { "name": "InitRoutine", "value": "0x7ff99f9afc30" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1227 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de71fa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlGetDeviceFamilyInfoEnum" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa2f840" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5432" } ], "repeated": 0, "id": 1232 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000398" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000404" } ], "repeated": 0, "id": 1233 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f915000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99f915000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000404" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80\\xbdW\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5432" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000404" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 1244 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000404" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 1247 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000398" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xd8Z+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5\\xa3E\\xa8\\xf9\\x7f\\x00\\x00\\x98\\x03\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1249 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa760000", "arguments": [ { "name": "lpLibFileName", "value": "user32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "IsImmersiveProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa789a30" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "50" }, { "name": "TotalPhysicalMB", "value": "4096" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows\\system32" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "35" } ], "repeated": 0, "id": 1257 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000398" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 1258 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "FrameTabWindow" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow" } ], "repeated": 0, "id": 1259 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000404" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "ValueName", "value": "FrameTabWindow" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "FrameMerging" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "ValueName", "value": "FrameMerging" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "SessionMerging" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "ValueName", "value": "SessionMerging" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "AdminTabProcs" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "ValueName", "value": "AdminTabProcs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs" } ], "repeated": 0, "id": 1267 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000408" } ], "repeated": 0, "id": 1268 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90\\xbfW\\x0bi\\x01\\x00\\x00`\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 1270 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000408" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 1274 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "Handle", "value": "0x00000408" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000408" }, { "name": "ValueName", "value": "RunBinaryControlHostProcessInSeparateAppContainer" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "Handle", "value": "0x0000040c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "ValueName", "value": "RunBinaryControlHostProcessInSeparateAppContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 1279 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 1280 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 1281 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 1282 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 1283 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000404" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 1284 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x00000410" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 1285 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000410" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 1286 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x00000414" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 1287 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 1288 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x00000418" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 1289 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000418" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 1290 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x0000041c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 1291 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000041c" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 1292 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000410" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 1293 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000414" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 1294 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000418" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 1295 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 1296 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1297 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1298 }, { "timestamp": "2026-06-29 12:44:18,702", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000420" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c0" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 1299 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000420" }, { "name": "ValueName", "value": "Security_HKLM_only" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only" } ], "repeated": 0, "id": 1300 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 1301 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 1302 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 1303 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000420" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 1304 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl" } ], "repeated": 0, "id": 1305 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000420" }, { "name": "SubKey", "value": "FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562" } ], "repeated": 0, "id": 1306 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000420" }, { "name": "SubKey", "value": "FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION" } ], "repeated": 0, "id": 1307 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b581000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1308 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000420" }, { "name": "SubKey", "value": "FEATURE_URI_DISABLECACHE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_URI_DISABLECACHE" } ], "repeated": 0, "id": 1309 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": ".txt" }, { "name": "Handle", "value": "0x00000426" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\.txt" } ], "repeated": 0, "id": 1310 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000426" }, { "name": "ValueName", "value": "Content Type" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type" } ], "repeated": 0, "id": 1311 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd0e39", "parentcaller": "0x7ff737dd0fbb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000426" }, { "name": "ValueName", "value": "Content Type" }, { "name": "Data", "value": "text/plain" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type" } ], "repeated": 0, "id": 1312 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de3928", "parentcaller": "0x7ff737dcdc0f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1313 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd1031", "parentcaller": "0x7ff737dd46c5", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000003b4" }, { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } ], "repeated": 0, "id": 1314 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd105d", "parentcaller": "0x7ff737dd46c5", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000428" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf80000" }, { "name": "SectionOffset", "value": "0x2e2b5ae010" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1315 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd107c", "parentcaller": "0x7ff737dd46c5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 1316 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd10a8", "parentcaller": "0x7ff737dd46c5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1317 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dd16a7", "parentcaller": "0x7ff737dd46c5", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf80000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1318 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737dccc9b", "parentcaller": "0x7ff737dd177d", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x1690b560d80", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "name": "FirstCreateTimeLow", "value": "0xf0c08d74" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0748" } ], "repeated": 0, "id": 1319 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1320 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "COMDLG32.dll" } ], "repeated": 0, "id": 1321 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000428" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9450000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000da000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1322 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9526000" }, { "name": "ModuleName", "value": "COMDLG32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1323 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a94fe000" }, { "name": "ModuleName", "value": "COMDLG32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1324 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a94fe000" }, { "name": "ModuleName", "value": "COMDLG32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1325 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a94fe000" }, { "name": "ModuleName", "value": "COMDLG32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1326 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a94fe000" }, { "name": "ModuleName", "value": "COMDLG32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1327 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a94fc000" }, { "name": "ModuleName", "value": "COMDLG32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1328 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 1329 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a94fc000" }, { "name": "ModuleName", "value": "COMDLG32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1330 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b583000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1331 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1332 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\COMDLG32" }, { "name": "DllBase", "value": "0x7ff9a9450000" } ], "repeated": 0, "id": 1333 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\comdlg32" }, { "name": "BaseAddress", "value": "0x7ff9a9450000" }, { "name": "InitRoutine", "value": "0x7ff9a9483a70" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1334 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1335 }, { "timestamp": "2026-06-29 12:44:18,718", "thread_id": "5436", "caller": "0x7ff737de5542", "parentcaller": "0x7ff737de6e8a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff737df7000" }, { "name": "ModuleName", "value": "NOTEPAD.EXE" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1336 }, { "timestamp": "2026-06-29 12:44:18,734", "thread_id": "5436", "caller": "0x7ff737dcf1e5", "parentcaller": "0x7ff737dcf299", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\PROPSYS" }, { "name": "DllBase", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 1337 }, { "timestamp": "2026-06-29 12:44:18,734", "thread_id": "5436", "caller": "0x7ff737dcf1e5", "parentcaller": "0x7ff737dcf299", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "BaseAddress", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 1338 }, { "timestamp": "2026-06-29 12:44:18,734", "thread_id": "5436", "caller": "0x7ff737dcf1e5", "parentcaller": "0x7ff737dcf299", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1339 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dcf1e5", "parentcaller": "0x7ff737dcf299", "category": "filesystem", "api": "SHGetFileInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Path", "value": "information.txt" }, { "name": "Flags", "value": "0x00000210" }, { "name": "DisplayName", "value": "information.txt" }, { "name": "TypeName", "value": "" } ], "repeated": 0, "id": 1340 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dccce9", "parentcaller": "0x7ff737dd177d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1341 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dd17aa", "parentcaller": "0x7ff737dd46c5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b592000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1342 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dd17aa", "parentcaller": "0x7ff737dd46c5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b595000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1343 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dd17aa", "parentcaller": "0x7ff737dd46c5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b59a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1344 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dd17aa", "parentcaller": "0x7ff737dd46c5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x000003b4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 1345 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dd17aa", "parentcaller": "0x7ff737dd46c5", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000003b4" }, { "name": "SubKey", "value": "Consolas" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Consolas" } ], "repeated": 0, "id": 1346 }, { "timestamp": "2026-06-29 12:44:18,749", "thread_id": "5436", "caller": "0x7ff737dd17aa", "parentcaller": "0x7ff737dd46c5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1347 }, { "timestamp": "2026-06-29 12:44:18,781", "thread_id": "5436", "caller": "0x7ff737dd183f", "parentcaller": "0x7ff737dd46c5", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00030418" }, { "name": "Message", "value": "0x000000c5" } ], "repeated": 0, "id": 1348 }, { "timestamp": "2026-06-29 12:44:18,781", "thread_id": "5436", "caller": "0x7ff737dd1912", "parentcaller": "0x7ff737dd46c5", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1349 }, { "timestamp": "2026-06-29 12:44:18,781", "thread_id": "5436", "caller": "0x7ff737dd1912", "parentcaller": "0x7ff737dd46c5", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1350 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd1947", "parentcaller": "0x7ff737dd46c5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "Handle", "value": "0x000003b4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 1351 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd1947", "parentcaller": "0x7ff737dd46c5", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" }, { "name": "ValueName", "value": "Start_TrackDocs" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Start_TrackDocs" } ], "repeated": 0, "id": 1352 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd1947", "parentcaller": "0x7ff737dd46c5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1353 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4778", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1354 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4c18", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "gdi32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" } ], "repeated": 0, "id": 1355 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "BitBlt" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3980" } ], "repeated": 0, "id": 1356 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "CreateCompatibleBitmap" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a4aa0" } ], "repeated": 0, "id": 1357 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "CreateCompatibleDC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3b70" } ], "repeated": 0, "id": 1358 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "CreateDIBSection" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a2820" } ], "repeated": 0, "id": 1359 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "CreateFontIndirectW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a1630" } ], "repeated": 0, "id": 1360 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "CreateSolidBrush" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a4b70" } ], "repeated": 0, "id": 1361 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "DeleteDC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a2c70" } ], "repeated": 0, "id": 1362 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "DeleteObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a2130" } ], "repeated": 0, "id": 1363 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "GdiAlphaBlend" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a6c30" } ], "repeated": 0, "id": 1364 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "GdiGradientFill" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a6d70" } ], "repeated": 0, "id": 1365 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "GetCurrentObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a4880" } ], "repeated": 0, "id": 1366 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "GetDIBits" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a4560" } ], "repeated": 0, "id": 1367 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "GetDeviceCaps" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3290" } ], "repeated": 0, "id": 1368 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "GetObjectW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3f80" } ], "repeated": 0, "id": 1369 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "GetStockObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3910" } ], "repeated": 0, "id": 1370 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "SelectObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3660" } ], "repeated": 0, "id": 1371 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "SetBkMode" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3ad0" } ], "repeated": 0, "id": 1372 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3a0000" }, { "name": "FunctionName", "value": "SetTextColor" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3a3c40" } ], "repeated": 0, "id": 1373 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4c18", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 1374 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "GetLocaleInfoEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3ecb40" } ], "repeated": 0, "id": 1375 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "GetTickCount64" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3e5d30" } ], "repeated": 0, "id": 1376 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "GetUserPreferredUILanguages" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3f0590" } ], "repeated": 0, "id": 1377 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "LCIDToLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3f0640" } ], "repeated": 0, "id": 1378 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "LocaleNameToLCID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3ee080" } ], "repeated": 0, "id": 1379 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "MulDiv" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3f5000" } ], "repeated": 0, "id": 1380 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "MultiByteToWideChar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3e5810" } ], "repeated": 0, "id": 1381 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SleepEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3f4aa0" } ], "repeated": 0, "id": 1382 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4c18", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1383 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "WinSqmAddToStream" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6fec0" } ], "repeated": 0, "id": 1384 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4c18", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 1385 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "DrawTextExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa77eae0" } ], "repeated": 0, "id": 1386 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "EnumDisplaySettingsW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa768830" } ], "repeated": 0, "id": 1387 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "FillRect" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa783640" } ], "repeated": 0, "id": 1388 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetDC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa786600" } ], "repeated": 0, "id": 1389 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetDCEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa794410" } ], "repeated": 0, "id": 1390 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetDesktopWindow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa76ae40" } ], "repeated": 0, "id": 1391 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetMonitorInfoW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa780b70" } ], "repeated": 0, "id": 1392 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetProcessWindowStation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa794690" } ], "repeated": 0, "id": 1393 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetSysColor" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa786310" } ], "repeated": 0, "id": 1394 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetSystemMetrics" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa781220" } ], "repeated": 0, "id": 1395 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetThreadDesktop" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa794730" } ], "repeated": 0, "id": 1396 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetUserObjectInformationW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa794780" } ], "repeated": 0, "id": 1397 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "InvalidateRect" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa794980" } ], "repeated": 0, "id": 1398 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "LogicalToPhysicalPointForPerMonitorDPI" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa794ab0" } ], "repeated": 0, "id": 1399 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "MonitorFromWindow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa7814b0" } ], "repeated": 0, "id": 1400 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "OffsetRect" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa76ae10" } ], "repeated": 0, "id": 1401 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "RedrawWindow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa794d50" } ], "repeated": 0, "id": 1402 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "ReleaseDC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa784010" } ], "repeated": 0, "id": 1403 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd4cbc", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "SystemParametersInfoW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa7836b0" } ], "repeated": 0, "id": 1404 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd6aa8", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1405 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd6af7", "parentcaller": "0x7ff737dcc29e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQuerySystemInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8d420" } ], "repeated": 0, "id": 1406 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dd6b19", "parentcaller": "0x7ff737dcc29e", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "134" } ], "repeated": 0, "id": 1407 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dcc09b", "parentcaller": "0x7ff737dcc2ab", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003b4" } ], "repeated": 0, "id": 1408 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dcc0cb", "parentcaller": "0x7ff737dcc2ab", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1409 }, { "timestamp": "2026-06-29 12:44:18,796", "thread_id": "5436", "caller": "0x7ff737dcc0e3", "parentcaller": "0x7ff737dcc2ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1410 }, { "timestamp": "2026-06-29 12:44:23,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msctf.dll" }, { "name": "BaseAddress", "value": "0x7ff9a9a10000" } ], "repeated": 0, "id": 1411 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a9a10000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\MSCTF.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 1412 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1413 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1414 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName" } ], "repeated": 0, "id": 1415 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xecZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x80\\xff\\xff\\xff\\xff\\xfb\"\\xa2\\x86\\xf9\\x7f\\x00\\x00p+\\xaf\\xa9\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xf9\\x7f\\x00\\x00\\xbbe\\xb5w\\xd1\\xc4\\x00\\x00" } ], "repeated": 0, "id": 1416 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003b4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1417 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003b4" }, { "name": "SubKey", "value": "Software\\Microsoft\\CTF\\DirectSwitchHotkeys" }, { "name": "Handle", "value": "0x00000468" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys" } ], "repeated": 0, "id": 1418 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 1419 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000468" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\CTF\\DirectSwitchHotkeys\\" } ], "repeated": 0, "id": 1420 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" } ], "repeated": 0, "id": 1421 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690cf0a000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1422 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1423 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x169106b0000" }, { "name": "RegionSize", "value": "0x00800000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1424 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1425 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "58" } ], "repeated": 0, "id": 1426 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000460" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1427 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1428 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x16910eb0000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1429 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x16910eb0000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1430 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000488" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1431 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 1432 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1433 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 1434 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa760000", "arguments": [ { "name": "lpLibFileName", "value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1435 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "IsGUIThread" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa7884b0" } ], "repeated": 0, "id": 1436 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1437 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1438 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa9f93b0" } ], "repeated": 0, "id": 1439 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f9b0" } ], "repeated": 0, "id": 1440 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa32450" } ], "repeated": 0, "id": 1441 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 1442 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa4cb70" } ], "repeated": 0, "id": 1443 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1444 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "MutexName", "value": "Local\\SM0:5432:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 1445 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1446 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1447 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1448 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1449 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1450 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1451 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 1452 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1453 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 1454 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1455 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "RegisterClassExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa767250" } ], "repeated": 0, "id": 1456 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1457 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1458 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "CreateWindowExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa7676b0" } ], "repeated": 0, "id": 1459 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1460 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1461 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "DefWindowProcW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8ca40" } ], "repeated": 0, "id": 1462 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1463 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1464 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "SetWindowLongPtrW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa76b750" } ], "repeated": 0, "id": 1465 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1466 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1467 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "SetTimer" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa784070" } ], "repeated": 0, "id": 1468 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1469 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1470 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 1471 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9aa760000", "arguments": [ { "name": "lpLibFileName", "value": "ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1472 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2612" }, { "name": "FunctionAddress", "value": "0x7ff9aa78bf10" } ], "repeated": 0, "id": 1473 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1474 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1475 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetWindowLongPtrW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa76f7c0" } ], "repeated": 0, "id": 1476 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1477 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1478 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "GetWindowThreadProcessId" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa763500" } ], "repeated": 0, "id": 1479 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1480 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1481 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "SendMessageCallbackW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa788280" } ], "repeated": 0, "id": 1482 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1483 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000494" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1484 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1485 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-com-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 1486 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a96b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-com-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1487 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateGuid" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97316e0" } ], "repeated": 0, "id": 1488 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1489 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1490 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b4a1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1491 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x169106b0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1492 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1493 }, { "timestamp": "2026-06-29 12:44:23,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2582" }, { "name": "FunctionAddress", "value": "0x7ff9aa7874e0" } ], "repeated": 0, "id": 1494 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1495 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1496 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "srand", "status": true, "return": "0x00000000", "arguments": [ { "name": "seed", "value": "0x6a4268a7" } ], "repeated": 0, "id": 1497 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1498 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1499 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa9f93b0" } ], "repeated": 0, "id": 1500 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa8f9b0" } ], "repeated": 0, "id": 1501 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa32450" } ], "repeated": 0, "id": 1502 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa6f950" } ], "repeated": 0, "id": 1503 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa4cb70" } ], "repeated": 0, "id": 1504 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1505 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" }, { "name": "MutexName", "value": "Local\\SM0:5432:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 1506 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1507 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1508 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1509 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1510 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1511 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" } ], "repeated": 0, "id": 1512 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 1513 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 1514 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 1515 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" }, { "name": "Handle", "value": "0x000004ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" } ], "repeated": 0, "id": 1516 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004ac" }, { "name": "ValueName", "value": "IsVailContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer" } ], "repeated": 0, "id": 1517 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 1518 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Input" }, { "name": "Handle", "value": "0x000004ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input" } ], "repeated": 0, "id": 1519 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004ac" }, { "name": "ValueName", "value": "ResyncResetTime" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime" } ], "repeated": 0, "id": 1520 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004ac" }, { "name": "ValueName", "value": "MaxResyncAttempts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts" } ], "repeated": 0, "id": 1521 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 1522 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1523 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1524 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1525 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1526 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1527 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1528 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1529 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1530 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1531 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1532 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "iertutil.dll" }, { "name": "ModuleHandle", "value": "0x7ff99f680000" } ], "repeated": 0, "id": 1533 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1534 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9b21000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1535 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x16910eb3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1536 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b59d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1537 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af1e0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1538 }, { "timestamp": "2026-06-29 12:44:23,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1539 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1540 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2541" }, { "name": "FunctionAddress", "value": "0x7ff9aa7946a0" } ], "repeated": 0, "id": 1541 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1542 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1543 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2613" }, { "name": "FunctionAddress", "value": "0x7ff9aa7841e0" } ], "repeated": 0, "id": 1544 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1545 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1546 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa760000" }, { "name": "FunctionName", "value": "PostMessageW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa781410" } ], "repeated": 0, "id": 1547 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a58d0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1548 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 1549 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b59f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1550 }, { "timestamp": "2026-06-29 12:44:23,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b5a2000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1551 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000082" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1552 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x0001008c", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1553 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1554 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1555 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1556 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1557 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1558 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1559 }, { "timestamp": "2026-06-29 12:44:24,593", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1560 }, { "timestamp": "2026-06-29 12:44:24,609", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000082" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1561 }, { "timestamp": "2026-06-29 12:44:24,609", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1562 }, { "timestamp": "2026-06-29 12:44:24,624", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1563 }, { "timestamp": "2026-06-29 12:44:24,624", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1564 }, { "timestamp": "2026-06-29 12:44:24,624", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1565 }, { "timestamp": "2026-06-29 12:44:24,624", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000082" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1566 }, { "timestamp": "2026-06-29 12:44:24,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 1567 }, { "timestamp": "2026-06-29 12:44:24,702", "thread_id": "5436", "caller": "0x7ff737dc9197", "parentcaller": "0x7ff737dcbb3f", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 3, "id": 1568 }, { "timestamp": "2026-06-29 12:44:24,702", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 1569 }, { "timestamp": "2026-06-29 12:44:24,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1570 }, { "timestamp": "2026-06-29 12:44:24,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1571 }, { "timestamp": "2026-06-29 12:44:24,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1690b5a5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1572 }, { "timestamp": "2026-06-29 12:44:24,781", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1573 }, { "timestamp": "2026-06-29 12:44:36,609", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af1e0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1574 }, { "timestamp": "2026-06-29 12:44:36,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1575 }, { "timestamp": "2026-06-29 12:44:36,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 1576 }, { "timestamp": "2026-06-29 12:44:42,812", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 6, "id": 1577 }, { "timestamp": "2026-06-29 12:44:42,812", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1578 }, { "timestamp": "2026-06-29 12:44:42,812", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1579 }, { "timestamp": "2026-06-29 12:44:42,812", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1580 }, { "timestamp": "2026-06-29 12:44:42,812", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1581 }, { "timestamp": "2026-06-29 12:44:42,812", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5adc70" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1582 }, { "timestamp": "2026-06-29 12:44:42,812", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 1583 }, { "timestamp": "2026-06-29 12:44:42,906", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1584 }, { "timestamp": "2026-06-29 12:44:42,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1585 }, { "timestamp": "2026-06-29 12:44:42,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1586 }, { "timestamp": "2026-06-29 12:44:44,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1587 }, { "timestamp": "2026-06-29 12:44:44,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1588 }, { "timestamp": "2026-06-29 12:44:44,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1589 }, { "timestamp": "2026-06-29 12:44:44,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1590 }, { "timestamp": "2026-06-29 12:44:44,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1591 }, { "timestamp": "2026-06-29 12:44:44,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1592 }, { "timestamp": "2026-06-29 12:44:44,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1593 }, { "timestamp": "2026-06-29 12:44:44,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1594 }, { "timestamp": "2026-06-29 12:44:44,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1595 }, { "timestamp": "2026-06-29 12:44:44,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1596 }, { "timestamp": "2026-06-29 12:44:44,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1597 }, { "timestamp": "2026-06-29 12:44:44,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1598 }, { "timestamp": "2026-06-29 12:44:44,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1599 }, { "timestamp": "2026-06-29 12:44:44,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1600 }, { "timestamp": "2026-06-29 12:44:44,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1601 }, { "timestamp": "2026-06-29 12:44:44,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1602 }, { "timestamp": "2026-06-29 12:44:44,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1603 }, { "timestamp": "2026-06-29 12:44:44,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1604 }, { "timestamp": "2026-06-29 12:44:44,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1605 }, { "timestamp": "2026-06-29 12:44:44,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1606 }, { "timestamp": "2026-06-29 12:44:44,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1607 }, { "timestamp": "2026-06-29 12:44:44,999", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af1e0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1608 }, { "timestamp": "2026-06-29 12:44:45,015", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1609 }, { "timestamp": "2026-06-29 12:44:45,015", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 1610 }, { "timestamp": "2026-06-29 12:44:48,468", "thread_id": "5684", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004bc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1611 }, { "timestamp": "2026-06-29 12:44:48,468", "thread_id": "5684", "caller": "0x7ff9a9c1fa82", "parentcaller": "0x7ff9a9c1f9e4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 1612 }, { "timestamp": "2026-06-29 12:44:56,327", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 6, "id": 1613 }, { "timestamp": "2026-06-29 12:44:56,343", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1614 }, { "timestamp": "2026-06-29 12:44:56,343", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1615 }, { "timestamp": "2026-06-29 12:44:56,343", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1616 }, { "timestamp": "2026-06-29 12:44:56,343", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1617 }, { "timestamp": "2026-06-29 12:44:56,343", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5adc70" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1618 }, { "timestamp": "2026-06-29 12:44:56,484", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1619 }, { "timestamp": "2026-06-29 12:44:56,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1620 }, { "timestamp": "2026-06-29 12:44:56,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1621 }, { "timestamp": "2026-06-29 12:44:58,984", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1622 }, { "timestamp": "2026-06-29 12:45:00,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1623 }, { "timestamp": "2026-06-29 12:45:00,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1624 }, { "timestamp": "2026-06-29 12:45:00,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1625 }, { "timestamp": "2026-06-29 12:45:00,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1626 }, { "timestamp": "2026-06-29 12:45:00,999", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1627 }, { "timestamp": "2026-06-29 12:45:00,999", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1628 }, { "timestamp": "2026-06-29 12:45:01,046", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1629 }, { "timestamp": "2026-06-29 12:45:01,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1630 }, { "timestamp": "2026-06-29 12:45:01,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1631 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xeeZ+.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa2\\xf8\\xc1\\x9b\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\xa8\\x95\\xaa\\xf9\\x7f\\x00\\x00\\xe0\\x05\\xaf\\xa9\\xf9\\x7f\\x00\\x00" } ], "repeated": 0, "id": 1632 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ac" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1633 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004ac" }, { "name": "SubKey", "value": "Keyboard Layout\\Toggle" }, { "name": "Handle", "value": "0x000004b0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle" } ], "repeated": 0, "id": 1634 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 1635 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004b0" }, { "name": "ValueName", "value": "Language Hotkey" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey" } ], "repeated": 0, "id": 1636 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004b0" }, { "name": "ValueName", "value": "Hotkey" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey" } ], "repeated": 0, "id": 1637 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004b0" }, { "name": "ValueName", "value": "Layout Hotkey" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey" } ], "repeated": 0, "id": 1638 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" } ], "repeated": 0, "id": 1639 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1640 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1641 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff99bcf4000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1642 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ole32.dll" }, { "name": "BaseAddress", "value": "0x7ff9a92a0000" } ], "repeated": 0, "id": 1643 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a92a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\ole32.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 1644 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ole32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a92a0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 1645 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ole32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a92a0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 1646 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1647 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1648 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1649 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1650 }, { "timestamp": "2026-06-29 12:45:01,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 1651 }, { "timestamp": "2026-06-29 12:45:01,952", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1652 }, { "timestamp": "2026-06-29 12:45:01,952", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1653 }, { "timestamp": "2026-06-29 12:45:01,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1654 }, { "timestamp": "2026-06-29 12:45:01,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1655 }, { "timestamp": "2026-06-29 12:45:01,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1656 }, { "timestamp": "2026-06-29 12:45:01,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1657 }, { "timestamp": "2026-06-29 12:45:01,968", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1658 }, { "timestamp": "2026-06-29 12:45:01,968", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1659 }, { "timestamp": "2026-06-29 12:45:01,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1660 }, { "timestamp": "2026-06-29 12:45:01,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1661 }, { "timestamp": "2026-06-29 12:45:01,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1662 }, { "timestamp": "2026-06-29 12:45:01,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1663 }, { "timestamp": "2026-06-29 12:45:01,999", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1664 }, { "timestamp": "2026-06-29 12:45:01,999", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1665 }, { "timestamp": "2026-06-29 12:45:02,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1666 }, { "timestamp": "2026-06-29 12:45:02,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1667 }, { "timestamp": "2026-06-29 12:45:02,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1668 }, { "timestamp": "2026-06-29 12:45:02,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1669 }, { "timestamp": "2026-06-29 12:45:02,031", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1670 }, { "timestamp": "2026-06-29 12:45:02,031", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1671 }, { "timestamp": "2026-06-29 12:45:02,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1672 }, { "timestamp": "2026-06-29 12:45:02,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1673 }, { "timestamp": "2026-06-29 12:45:02,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1674 }, { "timestamp": "2026-06-29 12:45:02,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1675 }, { "timestamp": "2026-06-29 12:45:02,077", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1676 }, { "timestamp": "2026-06-29 12:45:02,077", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1677 }, { "timestamp": "2026-06-29 12:45:02,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1678 }, { "timestamp": "2026-06-29 12:45:02,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1679 }, { "timestamp": "2026-06-29 12:45:02,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1680 }, { "timestamp": "2026-06-29 12:45:02,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1681 }, { "timestamp": "2026-06-29 12:45:02,109", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1682 }, { "timestamp": "2026-06-29 12:45:02,109", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1683 }, { "timestamp": "2026-06-29 12:45:02,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1684 }, { "timestamp": "2026-06-29 12:45:02,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1685 }, { "timestamp": "2026-06-29 12:45:02,124", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1686 }, { "timestamp": "2026-06-29 12:45:02,124", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1687 }, { "timestamp": "2026-06-29 12:45:02,140", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1688 }, { "timestamp": "2026-06-29 12:45:02,140", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1689 }, { "timestamp": "2026-06-29 12:45:02,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1690 }, { "timestamp": "2026-06-29 12:45:02,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1691 }, { "timestamp": "2026-06-29 12:45:02,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1692 }, { "timestamp": "2026-06-29 12:45:02,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1693 }, { "timestamp": "2026-06-29 12:45:02,171", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1694 }, { "timestamp": "2026-06-29 12:45:02,171", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1695 }, { "timestamp": "2026-06-29 12:45:02,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1696 }, { "timestamp": "2026-06-29 12:45:02,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1697 }, { "timestamp": "2026-06-29 12:45:02,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1698 }, { "timestamp": "2026-06-29 12:45:02,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1699 }, { "timestamp": "2026-06-29 12:45:02,202", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1700 }, { "timestamp": "2026-06-29 12:45:02,202", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1701 }, { "timestamp": "2026-06-29 12:45:02,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1702 }, { "timestamp": "2026-06-29 12:45:02,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1703 }, { "timestamp": "2026-06-29 12:45:02,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1704 }, { "timestamp": "2026-06-29 12:45:02,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1705 }, { "timestamp": "2026-06-29 12:45:02,234", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1706 }, { "timestamp": "2026-06-29 12:45:02,234", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1707 }, { "timestamp": "2026-06-29 12:45:02,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1708 }, { "timestamp": "2026-06-29 12:45:02,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1709 }, { "timestamp": "2026-06-29 12:45:02,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1710 }, { "timestamp": "2026-06-29 12:45:02,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1711 }, { "timestamp": "2026-06-29 12:45:02,265", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1712 }, { "timestamp": "2026-06-29 12:45:02,265", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1713 }, { "timestamp": "2026-06-29 12:45:02,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1714 }, { "timestamp": "2026-06-29 12:45:02,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1715 }, { "timestamp": "2026-06-29 12:45:02,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1716 }, { "timestamp": "2026-06-29 12:45:02,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1717 }, { "timestamp": "2026-06-29 12:45:02,296", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1718 }, { "timestamp": "2026-06-29 12:45:02,296", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1719 }, { "timestamp": "2026-06-29 12:45:02,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1720 }, { "timestamp": "2026-06-29 12:45:02,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1721 }, { "timestamp": "2026-06-29 12:45:02,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1722 }, { "timestamp": "2026-06-29 12:45:02,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1723 }, { "timestamp": "2026-06-29 12:45:02,327", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1724 }, { "timestamp": "2026-06-29 12:45:02,327", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1725 }, { "timestamp": "2026-06-29 12:45:02,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1726 }, { "timestamp": "2026-06-29 12:45:02,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1727 }, { "timestamp": "2026-06-29 12:45:02,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1728 }, { "timestamp": "2026-06-29 12:45:02,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1729 }, { "timestamp": "2026-06-29 12:45:02,359", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1730 }, { "timestamp": "2026-06-29 12:45:02,359", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1731 }, { "timestamp": "2026-06-29 12:45:02,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1732 }, { "timestamp": "2026-06-29 12:45:02,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1733 }, { "timestamp": "2026-06-29 12:45:02,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1734 }, { "timestamp": "2026-06-29 12:45:02,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1735 }, { "timestamp": "2026-06-29 12:45:02,406", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1736 }, { "timestamp": "2026-06-29 12:45:02,406", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1737 }, { "timestamp": "2026-06-29 12:45:02,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1738 }, { "timestamp": "2026-06-29 12:45:02,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1739 }, { "timestamp": "2026-06-29 12:45:02,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1740 }, { "timestamp": "2026-06-29 12:45:02,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1741 }, { "timestamp": "2026-06-29 12:45:02,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1742 }, { "timestamp": "2026-06-29 12:45:02,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1743 }, { "timestamp": "2026-06-29 12:45:02,452", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1744 }, { "timestamp": "2026-06-29 12:45:02,452", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1745 }, { "timestamp": "2026-06-29 12:45:02,452", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1746 }, { "timestamp": "2026-06-29 12:45:02,452", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1747 }, { "timestamp": "2026-06-29 12:45:02,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1748 }, { "timestamp": "2026-06-29 12:45:02,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1749 }, { "timestamp": "2026-06-29 12:45:02,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1750 }, { "timestamp": "2026-06-29 12:45:02,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1751 }, { "timestamp": "2026-06-29 12:45:02,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1752 }, { "timestamp": "2026-06-29 12:45:02,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1753 }, { "timestamp": "2026-06-29 12:45:02,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1754 }, { "timestamp": "2026-06-29 12:45:02,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1755 }, { "timestamp": "2026-06-29 12:45:02,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1756 }, { "timestamp": "2026-06-29 12:45:02,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1757 }, { "timestamp": "2026-06-29 12:45:02,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1758 }, { "timestamp": "2026-06-29 12:45:02,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1759 }, { "timestamp": "2026-06-29 12:45:02,531", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1760 }, { "timestamp": "2026-06-29 12:45:02,531", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1761 }, { "timestamp": "2026-06-29 12:45:02,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1762 }, { "timestamp": "2026-06-29 12:45:02,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1763 }, { "timestamp": "2026-06-29 12:45:02,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1764 }, { "timestamp": "2026-06-29 12:45:02,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1765 }, { "timestamp": "2026-06-29 12:45:02,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1766 }, { "timestamp": "2026-06-29 12:45:02,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1767 }, { "timestamp": "2026-06-29 12:45:02,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1768 }, { "timestamp": "2026-06-29 12:45:02,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1769 }, { "timestamp": "2026-06-29 12:45:02,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1770 }, { "timestamp": "2026-06-29 12:45:02,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1771 }, { "timestamp": "2026-06-29 12:45:02,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1772 }, { "timestamp": "2026-06-29 12:45:02,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1773 }, { "timestamp": "2026-06-29 12:45:02,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1774 }, { "timestamp": "2026-06-29 12:45:02,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1775 }, { "timestamp": "2026-06-29 12:45:02,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1776 }, { "timestamp": "2026-06-29 12:45:02,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1777 }, { "timestamp": "2026-06-29 12:45:02,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1778 }, { "timestamp": "2026-06-29 12:45:02,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1779 }, { "timestamp": "2026-06-29 12:45:02,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1780 }, { "timestamp": "2026-06-29 12:45:02,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1781 }, { "timestamp": "2026-06-29 12:45:02,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1782 }, { "timestamp": "2026-06-29 12:45:02,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1783 }, { "timestamp": "2026-06-29 12:45:02,671", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1784 }, { "timestamp": "2026-06-29 12:45:02,671", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1785 }, { "timestamp": "2026-06-29 12:45:02,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1786 }, { "timestamp": "2026-06-29 12:45:02,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1787 }, { "timestamp": "2026-06-29 12:45:02,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1788 }, { "timestamp": "2026-06-29 12:45:02,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1789 }, { "timestamp": "2026-06-29 12:45:02,702", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1790 }, { "timestamp": "2026-06-29 12:45:02,702", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1791 }, { "timestamp": "2026-06-29 12:45:02,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1792 }, { "timestamp": "2026-06-29 12:45:02,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1793 }, { "timestamp": "2026-06-29 12:45:02,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1794 }, { "timestamp": "2026-06-29 12:45:02,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1795 }, { "timestamp": "2026-06-29 12:45:02,734", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1796 }, { "timestamp": "2026-06-29 12:45:02,734", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1797 }, { "timestamp": "2026-06-29 12:45:02,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1798 }, { "timestamp": "2026-06-29 12:45:02,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1799 }, { "timestamp": "2026-06-29 12:45:02,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1800 }, { "timestamp": "2026-06-29 12:45:02,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1801 }, { "timestamp": "2026-06-29 12:45:02,765", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1802 }, { "timestamp": "2026-06-29 12:45:02,765", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1803 }, { "timestamp": "2026-06-29 12:45:02,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1804 }, { "timestamp": "2026-06-29 12:45:02,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1805 }, { "timestamp": "2026-06-29 12:45:02,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1806 }, { "timestamp": "2026-06-29 12:45:02,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1807 }, { "timestamp": "2026-06-29 12:45:02,796", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1808 }, { "timestamp": "2026-06-29 12:45:02,796", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1809 }, { "timestamp": "2026-06-29 12:45:02,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1810 }, { "timestamp": "2026-06-29 12:45:02,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1811 }, { "timestamp": "2026-06-29 12:45:02,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1812 }, { "timestamp": "2026-06-29 12:45:02,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1813 }, { "timestamp": "2026-06-29 12:45:02,827", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1814 }, { "timestamp": "2026-06-29 12:45:02,827", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1815 }, { "timestamp": "2026-06-29 12:45:02,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1816 }, { "timestamp": "2026-06-29 12:45:02,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1817 }, { "timestamp": "2026-06-29 12:45:02,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1818 }, { "timestamp": "2026-06-29 12:45:02,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1819 }, { "timestamp": "2026-06-29 12:45:02,859", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1820 }, { "timestamp": "2026-06-29 12:45:02,859", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1821 }, { "timestamp": "2026-06-29 12:45:02,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1822 }, { "timestamp": "2026-06-29 12:45:02,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1823 }, { "timestamp": "2026-06-29 12:45:02,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1824 }, { "timestamp": "2026-06-29 12:45:02,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1825 }, { "timestamp": "2026-06-29 12:45:02,890", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1826 }, { "timestamp": "2026-06-29 12:45:02,890", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1827 }, { "timestamp": "2026-06-29 12:45:02,890", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1828 }, { "timestamp": "2026-06-29 12:45:02,890", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1829 }, { "timestamp": "2026-06-29 12:45:02,890", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1830 }, { "timestamp": "2026-06-29 12:45:02,890", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1831 }, { "timestamp": "2026-06-29 12:45:02,937", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1832 }, { "timestamp": "2026-06-29 12:45:02,937", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1833 }, { "timestamp": "2026-06-29 12:45:02,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1834 }, { "timestamp": "2026-06-29 12:45:02,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1835 }, { "timestamp": "2026-06-29 12:45:02,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1836 }, { "timestamp": "2026-06-29 12:45:02,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1837 }, { "timestamp": "2026-06-29 12:45:02,968", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1838 }, { "timestamp": "2026-06-29 12:45:02,968", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1839 }, { "timestamp": "2026-06-29 12:45:02,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1840 }, { "timestamp": "2026-06-29 12:45:02,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1841 }, { "timestamp": "2026-06-29 12:45:02,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1842 }, { "timestamp": "2026-06-29 12:45:02,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1843 }, { "timestamp": "2026-06-29 12:45:02,999", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1844 }, { "timestamp": "2026-06-29 12:45:02,999", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1845 }, { "timestamp": "2026-06-29 12:45:03,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1846 }, { "timestamp": "2026-06-29 12:45:03,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1847 }, { "timestamp": "2026-06-29 12:45:03,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1848 }, { "timestamp": "2026-06-29 12:45:03,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1849 }, { "timestamp": "2026-06-29 12:45:03,031", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1850 }, { "timestamp": "2026-06-29 12:45:03,031", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1851 }, { "timestamp": "2026-06-29 12:45:03,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1852 }, { "timestamp": "2026-06-29 12:45:03,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1853 }, { "timestamp": "2026-06-29 12:45:03,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1854 }, { "timestamp": "2026-06-29 12:45:03,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1855 }, { "timestamp": "2026-06-29 12:45:03,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1856 }, { "timestamp": "2026-06-29 12:45:03,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1857 }, { "timestamp": "2026-06-29 12:45:03,062", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1858 }, { "timestamp": "2026-06-29 12:45:03,062", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1859 }, { "timestamp": "2026-06-29 12:45:03,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1860 }, { "timestamp": "2026-06-29 12:45:03,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1861 }, { "timestamp": "2026-06-29 12:45:03,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1862 }, { "timestamp": "2026-06-29 12:45:03,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1863 }, { "timestamp": "2026-06-29 12:45:03,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1864 }, { "timestamp": "2026-06-29 12:45:03,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1865 }, { "timestamp": "2026-06-29 12:45:03,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1866 }, { "timestamp": "2026-06-29 12:45:03,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1867 }, { "timestamp": "2026-06-29 12:45:03,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1868 }, { "timestamp": "2026-06-29 12:45:03,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1869 }, { "timestamp": "2026-06-29 12:45:03,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1870 }, { "timestamp": "2026-06-29 12:45:03,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1871 }, { "timestamp": "2026-06-29 12:45:03,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1872 }, { "timestamp": "2026-06-29 12:45:03,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1873 }, { "timestamp": "2026-06-29 12:45:03,124", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1874 }, { "timestamp": "2026-06-29 12:45:03,124", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1875 }, { "timestamp": "2026-06-29 12:45:03,140", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1876 }, { "timestamp": "2026-06-29 12:45:03,140", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1877 }, { "timestamp": "2026-06-29 12:45:03,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1878 }, { "timestamp": "2026-06-29 12:45:03,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1879 }, { "timestamp": "2026-06-29 12:45:03,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1880 }, { "timestamp": "2026-06-29 12:45:03,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1881 }, { "timestamp": "2026-06-29 12:45:03,156", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1882 }, { "timestamp": "2026-06-29 12:45:03,156", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1883 }, { "timestamp": "2026-06-29 12:45:03,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1884 }, { "timestamp": "2026-06-29 12:45:03,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1885 }, { "timestamp": "2026-06-29 12:45:03,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1886 }, { "timestamp": "2026-06-29 12:45:03,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1887 }, { "timestamp": "2026-06-29 12:45:03,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1888 }, { "timestamp": "2026-06-29 12:45:03,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1889 }, { "timestamp": "2026-06-29 12:45:03,218", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1890 }, { "timestamp": "2026-06-29 12:45:03,218", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1891 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1892 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1893 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1894 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1895 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1896 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1897 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1898 }, { "timestamp": "2026-06-29 12:45:03,265", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1899 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1900 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1901 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1902 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1903 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1904 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1905 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1906 }, { "timestamp": "2026-06-29 12:45:03,281", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1907 }, { "timestamp": "2026-06-29 12:45:03,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1908 }, { "timestamp": "2026-06-29 12:45:03,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1909 }, { "timestamp": "2026-06-29 12:45:03,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1910 }, { "timestamp": "2026-06-29 12:45:03,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1911 }, { "timestamp": "2026-06-29 12:45:03,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1912 }, { "timestamp": "2026-06-29 12:45:03,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1913 }, { "timestamp": "2026-06-29 12:45:03,312", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1914 }, { "timestamp": "2026-06-29 12:45:03,312", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1915 }, { "timestamp": "2026-06-29 12:45:03,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1916 }, { "timestamp": "2026-06-29 12:45:03,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1917 }, { "timestamp": "2026-06-29 12:45:03,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1918 }, { "timestamp": "2026-06-29 12:45:03,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1919 }, { "timestamp": "2026-06-29 12:45:03,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1920 }, { "timestamp": "2026-06-29 12:45:03,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1921 }, { "timestamp": "2026-06-29 12:45:03,359", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1922 }, { "timestamp": "2026-06-29 12:45:03,359", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1923 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1924 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1925 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1926 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1927 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1928 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1929 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1930 }, { "timestamp": "2026-06-29 12:45:03,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1931 }, { "timestamp": "2026-06-29 12:45:03,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1932 }, { "timestamp": "2026-06-29 12:45:03,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1933 }, { "timestamp": "2026-06-29 12:45:03,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1934 }, { "timestamp": "2026-06-29 12:45:03,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1935 }, { "timestamp": "2026-06-29 12:45:03,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1936 }, { "timestamp": "2026-06-29 12:45:03,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1937 }, { "timestamp": "2026-06-29 12:45:03,406", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1938 }, { "timestamp": "2026-06-29 12:45:03,406", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 1939 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1940 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1941 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1942 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1943 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1944 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1945 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1946 }, { "timestamp": "2026-06-29 12:45:03,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1947 }, { "timestamp": "2026-06-29 12:45:03,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1948 }, { "timestamp": "2026-06-29 12:45:03,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1949 }, { "timestamp": "2026-06-29 12:45:03,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1950 }, { "timestamp": "2026-06-29 12:45:03,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1951 }, { "timestamp": "2026-06-29 12:45:03,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1952 }, { "timestamp": "2026-06-29 12:45:03,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1953 }, { "timestamp": "2026-06-29 12:45:03,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1954 }, { "timestamp": "2026-06-29 12:45:03,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1955 }, { "timestamp": "2026-06-29 12:45:03,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1956 }, { "timestamp": "2026-06-29 12:45:03,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1957 }, { "timestamp": "2026-06-29 12:45:03,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1958 }, { "timestamp": "2026-06-29 12:45:03,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1959 }, { "timestamp": "2026-06-29 12:45:03,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1960 }, { "timestamp": "2026-06-29 12:45:03,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1961 }, { "timestamp": "2026-06-29 12:45:03,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1962 }, { "timestamp": "2026-06-29 12:45:03,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1963 }, { "timestamp": "2026-06-29 12:45:03,515", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1964 }, { "timestamp": "2026-06-29 12:45:03,515", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1965 }, { "timestamp": "2026-06-29 12:45:03,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1966 }, { "timestamp": "2026-06-29 12:45:03,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1967 }, { "timestamp": "2026-06-29 12:45:03,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1968 }, { "timestamp": "2026-06-29 12:45:03,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1969 }, { "timestamp": "2026-06-29 12:45:03,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1970 }, { "timestamp": "2026-06-29 12:45:03,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1971 }, { "timestamp": "2026-06-29 12:45:03,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1972 }, { "timestamp": "2026-06-29 12:45:03,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1973 }, { "timestamp": "2026-06-29 12:45:03,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1974 }, { "timestamp": "2026-06-29 12:45:03,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1975 }, { "timestamp": "2026-06-29 12:45:03,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1976 }, { "timestamp": "2026-06-29 12:45:03,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1977 }, { "timestamp": "2026-06-29 12:45:03,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1978 }, { "timestamp": "2026-06-29 12:45:03,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1979 }, { "timestamp": "2026-06-29 12:45:03,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1980 }, { "timestamp": "2026-06-29 12:45:03,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1981 }, { "timestamp": "2026-06-29 12:45:03,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1982 }, { "timestamp": "2026-06-29 12:45:03,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1983 }, { "timestamp": "2026-06-29 12:45:03,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1984 }, { "timestamp": "2026-06-29 12:45:03,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1985 }, { "timestamp": "2026-06-29 12:45:03,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1986 }, { "timestamp": "2026-06-29 12:45:03,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1987 }, { "timestamp": "2026-06-29 12:45:03,656", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1988 }, { "timestamp": "2026-06-29 12:45:03,656", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1989 }, { "timestamp": "2026-06-29 12:45:03,671", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1990 }, { "timestamp": "2026-06-29 12:45:03,671", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1991 }, { "timestamp": "2026-06-29 12:45:03,671", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1992 }, { "timestamp": "2026-06-29 12:45:03,671", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1993 }, { "timestamp": "2026-06-29 12:45:03,687", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 1994 }, { "timestamp": "2026-06-29 12:45:03,687", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 1995 }, { "timestamp": "2026-06-29 12:45:03,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1996 }, { "timestamp": "2026-06-29 12:45:03,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1997 }, { "timestamp": "2026-06-29 12:45:03,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1998 }, { "timestamp": "2026-06-29 12:45:03,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1999 }, { "timestamp": "2026-06-29 12:45:03,718", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2000 }, { "timestamp": "2026-06-29 12:45:03,718", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2001 }, { "timestamp": "2026-06-29 12:45:03,718", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2002 }, { "timestamp": "2026-06-29 12:45:03,718", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2003 }, { "timestamp": "2026-06-29 12:45:03,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2004 }, { "timestamp": "2026-06-29 12:45:03,734", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2005 }, { "timestamp": "2026-06-29 12:45:03,749", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2006 }, { "timestamp": "2026-06-29 12:45:03,749", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2007 }, { "timestamp": "2026-06-29 12:45:03,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2008 }, { "timestamp": "2026-06-29 12:45:03,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2009 }, { "timestamp": "2026-06-29 12:45:03,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2010 }, { "timestamp": "2026-06-29 12:45:03,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2011 }, { "timestamp": "2026-06-29 12:45:03,781", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2012 }, { "timestamp": "2026-06-29 12:45:03,781", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2013 }, { "timestamp": "2026-06-29 12:45:03,781", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2014 }, { "timestamp": "2026-06-29 12:45:03,781", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2015 }, { "timestamp": "2026-06-29 12:45:03,781", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2016 }, { "timestamp": "2026-06-29 12:45:03,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2017 }, { "timestamp": "2026-06-29 12:45:03,812", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2018 }, { "timestamp": "2026-06-29 12:45:03,812", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2019 }, { "timestamp": "2026-06-29 12:45:03,812", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2020 }, { "timestamp": "2026-06-29 12:45:03,812", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2021 }, { "timestamp": "2026-06-29 12:45:03,812", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2022 }, { "timestamp": "2026-06-29 12:45:03,812", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2023 }, { "timestamp": "2026-06-29 12:45:03,827", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2024 }, { "timestamp": "2026-06-29 12:45:03,827", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2025 }, { "timestamp": "2026-06-29 12:45:03,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2026 }, { "timestamp": "2026-06-29 12:45:03,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2027 }, { "timestamp": "2026-06-29 12:45:03,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2028 }, { "timestamp": "2026-06-29 12:45:03,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2029 }, { "timestamp": "2026-06-29 12:45:03,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2030 }, { "timestamp": "2026-06-29 12:45:03,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2031 }, { "timestamp": "2026-06-29 12:45:03,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2032 }, { "timestamp": "2026-06-29 12:45:03,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2033 }, { "timestamp": "2026-06-29 12:45:03,874", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2034 }, { "timestamp": "2026-06-29 12:45:03,874", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2035 }, { "timestamp": "2026-06-29 12:45:03,906", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2036 }, { "timestamp": "2026-06-29 12:45:03,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2037 }, { "timestamp": "2026-06-29 12:45:03,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2038 }, { "timestamp": "2026-06-29 12:45:03,921", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2039 }, { "timestamp": "2026-06-29 12:45:03,921", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2040 }, { "timestamp": "2026-06-29 12:45:03,921", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2041 }, { "timestamp": "2026-06-29 12:45:03,921", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2042 }, { "timestamp": "2026-06-29 12:45:03,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2043 }, { "timestamp": "2026-06-29 12:45:03,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2044 }, { "timestamp": "2026-06-29 12:45:03,952", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2045 }, { "timestamp": "2026-06-29 12:45:03,952", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2046 }, { "timestamp": "2026-06-29 12:45:03,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2047 }, { "timestamp": "2026-06-29 12:45:03,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2048 }, { "timestamp": "2026-06-29 12:45:03,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2049 }, { "timestamp": "2026-06-29 12:45:03,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2050 }, { "timestamp": "2026-06-29 12:45:03,984", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2051 }, { "timestamp": "2026-06-29 12:45:03,984", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2052 }, { "timestamp": "2026-06-29 12:45:03,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2053 }, { "timestamp": "2026-06-29 12:45:03,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2054 }, { "timestamp": "2026-06-29 12:45:03,999", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2055 }, { "timestamp": "2026-06-29 12:45:03,999", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2056 }, { "timestamp": "2026-06-29 12:45:04,015", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2057 }, { "timestamp": "2026-06-29 12:45:04,015", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2058 }, { "timestamp": "2026-06-29 12:45:04,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2059 }, { "timestamp": "2026-06-29 12:45:04,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2060 }, { "timestamp": "2026-06-29 12:45:04,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2061 }, { "timestamp": "2026-06-29 12:45:04,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2062 }, { "timestamp": "2026-06-29 12:45:04,046", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2063 }, { "timestamp": "2026-06-29 12:45:04,046", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2064 }, { "timestamp": "2026-06-29 12:45:04,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2065 }, { "timestamp": "2026-06-29 12:45:04,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2066 }, { "timestamp": "2026-06-29 12:45:04,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2067 }, { "timestamp": "2026-06-29 12:45:04,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2068 }, { "timestamp": "2026-06-29 12:45:04,077", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2069 }, { "timestamp": "2026-06-29 12:45:04,077", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2070 }, { "timestamp": "2026-06-29 12:45:04,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2071 }, { "timestamp": "2026-06-29 12:45:04,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2072 }, { "timestamp": "2026-06-29 12:45:04,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2073 }, { "timestamp": "2026-06-29 12:45:04,077", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2074 }, { "timestamp": "2026-06-29 12:45:04,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2075 }, { "timestamp": "2026-06-29 12:45:04,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2076 }, { "timestamp": "2026-06-29 12:45:04,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2077 }, { "timestamp": "2026-06-29 12:45:04,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2078 }, { "timestamp": "2026-06-29 12:45:04,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2079 }, { "timestamp": "2026-06-29 12:45:04,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2080 }, { "timestamp": "2026-06-29 12:45:04,140", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2081 }, { "timestamp": "2026-06-29 12:45:04,140", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2082 }, { "timestamp": "2026-06-29 12:45:04,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2083 }, { "timestamp": "2026-06-29 12:45:04,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2084 }, { "timestamp": "2026-06-29 12:45:04,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2085 }, { "timestamp": "2026-06-29 12:45:04,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2086 }, { "timestamp": "2026-06-29 12:45:04,171", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2087 }, { "timestamp": "2026-06-29 12:45:04,171", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2088 }, { "timestamp": "2026-06-29 12:45:04,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2089 }, { "timestamp": "2026-06-29 12:45:04,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2090 }, { "timestamp": "2026-06-29 12:45:04,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2091 }, { "timestamp": "2026-06-29 12:45:04,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2092 }, { "timestamp": "2026-06-29 12:45:04,202", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2093 }, { "timestamp": "2026-06-29 12:45:04,202", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2094 }, { "timestamp": "2026-06-29 12:45:04,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2095 }, { "timestamp": "2026-06-29 12:45:04,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2096 }, { "timestamp": "2026-06-29 12:45:04,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2097 }, { "timestamp": "2026-06-29 12:45:04,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2098 }, { "timestamp": "2026-06-29 12:45:04,234", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2099 }, { "timestamp": "2026-06-29 12:45:04,234", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2100 }, { "timestamp": "2026-06-29 12:45:04,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2101 }, { "timestamp": "2026-06-29 12:45:04,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2102 }, { "timestamp": "2026-06-29 12:45:04,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2103 }, { "timestamp": "2026-06-29 12:45:04,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2104 }, { "timestamp": "2026-06-29 12:45:04,281", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2105 }, { "timestamp": "2026-06-29 12:45:04,281", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2106 }, { "timestamp": "2026-06-29 12:45:04,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2107 }, { "timestamp": "2026-06-29 12:45:04,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2108 }, { "timestamp": "2026-06-29 12:45:04,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2109 }, { "timestamp": "2026-06-29 12:45:04,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2110 }, { "timestamp": "2026-06-29 12:45:04,312", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2111 }, { "timestamp": "2026-06-29 12:45:04,312", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2112 }, { "timestamp": "2026-06-29 12:45:04,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2113 }, { "timestamp": "2026-06-29 12:45:04,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2114 }, { "timestamp": "2026-06-29 12:45:04,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2115 }, { "timestamp": "2026-06-29 12:45:04,312", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2116 }, { "timestamp": "2026-06-29 12:45:04,343", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2117 }, { "timestamp": "2026-06-29 12:45:04,343", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2118 }, { "timestamp": "2026-06-29 12:45:04,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2119 }, { "timestamp": "2026-06-29 12:45:04,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2120 }, { "timestamp": "2026-06-29 12:45:04,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2121 }, { "timestamp": "2026-06-29 12:45:04,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2122 }, { "timestamp": "2026-06-29 12:45:04,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2123 }, { "timestamp": "2026-06-29 12:45:04,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2124 }, { "timestamp": "2026-06-29 12:45:04,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2125 }, { "timestamp": "2026-06-29 12:45:04,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2126 }, { "timestamp": "2026-06-29 12:45:04,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2127 }, { "timestamp": "2026-06-29 12:45:04,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2128 }, { "timestamp": "2026-06-29 12:45:04,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2129 }, { "timestamp": "2026-06-29 12:45:04,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2130 }, { "timestamp": "2026-06-29 12:45:04,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2131 }, { "timestamp": "2026-06-29 12:45:04,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2132 }, { "timestamp": "2026-06-29 12:45:04,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2133 }, { "timestamp": "2026-06-29 12:45:04,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2134 }, { "timestamp": "2026-06-29 12:45:04,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2135 }, { "timestamp": "2026-06-29 12:45:04,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2136 }, { "timestamp": "2026-06-29 12:45:04,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2137 }, { "timestamp": "2026-06-29 12:45:04,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2138 }, { "timestamp": "2026-06-29 12:45:04,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2139 }, { "timestamp": "2026-06-29 12:45:04,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2140 }, { "timestamp": "2026-06-29 12:45:04,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2141 }, { "timestamp": "2026-06-29 12:45:04,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2142 }, { "timestamp": "2026-06-29 12:45:04,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2143 }, { "timestamp": "2026-06-29 12:45:04,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2144 }, { "timestamp": "2026-06-29 12:45:04,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2145 }, { "timestamp": "2026-06-29 12:45:04,484", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2146 }, { "timestamp": "2026-06-29 12:45:04,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2147 }, { "timestamp": "2026-06-29 12:45:04,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2148 }, { "timestamp": "2026-06-29 12:45:04,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2149 }, { "timestamp": "2026-06-29 12:45:04,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2150 }, { "timestamp": "2026-06-29 12:45:04,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2151 }, { "timestamp": "2026-06-29 12:45:04,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2152 }, { "timestamp": "2026-06-29 12:45:04,577", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2153 }, { "timestamp": "2026-06-29 12:45:04,577", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2154 }, { "timestamp": "2026-06-29 12:45:04,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2155 }, { "timestamp": "2026-06-29 12:45:04,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2156 }, { "timestamp": "2026-06-29 12:45:04,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2157 }, { "timestamp": "2026-06-29 12:45:04,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2158 }, { "timestamp": "2026-06-29 12:45:04,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2159 }, { "timestamp": "2026-06-29 12:45:04,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2160 }, { "timestamp": "2026-06-29 12:45:04,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2161 }, { "timestamp": "2026-06-29 12:45:04,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2162 }, { "timestamp": "2026-06-29 12:45:04,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2163 }, { "timestamp": "2026-06-29 12:45:04,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2164 }, { "timestamp": "2026-06-29 12:45:04,609", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2165 }, { "timestamp": "2026-06-29 12:45:04,609", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2166 }, { "timestamp": "2026-06-29 12:45:04,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2167 }, { "timestamp": "2026-06-29 12:45:04,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2168 }, { "timestamp": "2026-06-29 12:45:04,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2169 }, { "timestamp": "2026-06-29 12:45:04,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2170 }, { "timestamp": "2026-06-29 12:45:05,327", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2171 }, { "timestamp": "2026-06-29 12:45:05,327", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2172 }, { "timestamp": "2026-06-29 12:45:05,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2173 }, { "timestamp": "2026-06-29 12:45:05,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2174 }, { "timestamp": "2026-06-29 12:45:05,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2175 }, { "timestamp": "2026-06-29 12:45:05,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2176 }, { "timestamp": "2026-06-29 12:45:05,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2177 }, { "timestamp": "2026-06-29 12:45:05,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2178 }, { "timestamp": "2026-06-29 12:45:05,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2179 }, { "timestamp": "2026-06-29 12:45:05,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2180 }, { "timestamp": "2026-06-29 12:45:05,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2181 }, { "timestamp": "2026-06-29 12:45:05,374", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2182 }, { "timestamp": "2026-06-29 12:45:05,406", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2183 }, { "timestamp": "2026-06-29 12:45:05,406", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2184 }, { "timestamp": "2026-06-29 12:45:05,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2185 }, { "timestamp": "2026-06-29 12:45:05,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2186 }, { "timestamp": "2026-06-29 12:45:05,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2187 }, { "timestamp": "2026-06-29 12:45:05,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2188 }, { "timestamp": "2026-06-29 12:45:05,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2189 }, { "timestamp": "2026-06-29 12:45:05,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2190 }, { "timestamp": "2026-06-29 12:45:05,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2191 }, { "timestamp": "2026-06-29 12:45:05,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2192 }, { "timestamp": "2026-06-29 12:45:05,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2193 }, { "timestamp": "2026-06-29 12:45:05,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2194 }, { "timestamp": "2026-06-29 12:45:05,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2195 }, { "timestamp": "2026-06-29 12:45:05,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2196 }, { "timestamp": "2026-06-29 12:45:05,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2197 }, { "timestamp": "2026-06-29 12:45:05,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2198 }, { "timestamp": "2026-06-29 12:45:05,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2199 }, { "timestamp": "2026-06-29 12:45:05,468", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2200 }, { "timestamp": "2026-06-29 12:45:05,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2201 }, { "timestamp": "2026-06-29 12:45:05,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2202 }, { "timestamp": "2026-06-29 12:45:05,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2203 }, { "timestamp": "2026-06-29 12:45:05,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2204 }, { "timestamp": "2026-06-29 12:45:05,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2205 }, { "timestamp": "2026-06-29 12:45:05,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2206 }, { "timestamp": "2026-06-29 12:45:05,531", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2207 }, { "timestamp": "2026-06-29 12:45:05,531", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2208 }, { "timestamp": "2026-06-29 12:45:05,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2209 }, { "timestamp": "2026-06-29 12:45:05,531", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2210 }, { "timestamp": "2026-06-29 12:45:05,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2211 }, { "timestamp": "2026-06-29 12:45:05,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2212 }, { "timestamp": "2026-06-29 12:45:05,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2213 }, { "timestamp": "2026-06-29 12:45:05,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2214 }, { "timestamp": "2026-06-29 12:45:05,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2215 }, { "timestamp": "2026-06-29 12:45:05,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2216 }, { "timestamp": "2026-06-29 12:45:05,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2217 }, { "timestamp": "2026-06-29 12:45:05,577", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2218 }, { "timestamp": "2026-06-29 12:45:05,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2219 }, { "timestamp": "2026-06-29 12:45:05,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2220 }, { "timestamp": "2026-06-29 12:45:05,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2221 }, { "timestamp": "2026-06-29 12:45:05,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2222 }, { "timestamp": "2026-06-29 12:45:05,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2223 }, { "timestamp": "2026-06-29 12:45:05,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2224 }, { "timestamp": "2026-06-29 12:45:05,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2225 }, { "timestamp": "2026-06-29 12:45:05,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2226 }, { "timestamp": "2026-06-29 12:45:05,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2227 }, { "timestamp": "2026-06-29 12:45:05,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2228 }, { "timestamp": "2026-06-29 12:45:05,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2229 }, { "timestamp": "2026-06-29 12:45:05,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2230 }, { "timestamp": "2026-06-29 12:45:05,671", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2231 }, { "timestamp": "2026-06-29 12:45:05,671", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2232 }, { "timestamp": "2026-06-29 12:45:05,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2233 }, { "timestamp": "2026-06-29 12:45:05,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2234 }, { "timestamp": "2026-06-29 12:45:05,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2235 }, { "timestamp": "2026-06-29 12:45:05,687", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2236 }, { "timestamp": "2026-06-29 12:45:05,702", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2237 }, { "timestamp": "2026-06-29 12:45:05,702", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2238 }, { "timestamp": "2026-06-29 12:45:05,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2239 }, { "timestamp": "2026-06-29 12:45:05,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2240 }, { "timestamp": "2026-06-29 12:45:05,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2241 }, { "timestamp": "2026-06-29 12:45:05,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2242 }, { "timestamp": "2026-06-29 12:45:05,734", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2243 }, { "timestamp": "2026-06-29 12:45:05,734", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2244 }, { "timestamp": "2026-06-29 12:45:05,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2245 }, { "timestamp": "2026-06-29 12:45:05,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2246 }, { "timestamp": "2026-06-29 12:45:05,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2247 }, { "timestamp": "2026-06-29 12:45:05,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2248 }, { "timestamp": "2026-06-29 12:45:05,765", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2249 }, { "timestamp": "2026-06-29 12:45:05,765", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2250 }, { "timestamp": "2026-06-29 12:45:05,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2251 }, { "timestamp": "2026-06-29 12:45:05,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2252 }, { "timestamp": "2026-06-29 12:45:05,781", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2253 }, { "timestamp": "2026-06-29 12:45:05,781", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2254 }, { "timestamp": "2026-06-29 12:45:05,796", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2255 }, { "timestamp": "2026-06-29 12:45:05,796", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2256 }, { "timestamp": "2026-06-29 12:45:05,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2257 }, { "timestamp": "2026-06-29 12:45:05,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2258 }, { "timestamp": "2026-06-29 12:45:05,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2259 }, { "timestamp": "2026-06-29 12:45:05,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2260 }, { "timestamp": "2026-06-29 12:45:05,827", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2261 }, { "timestamp": "2026-06-29 12:45:05,827", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2262 }, { "timestamp": "2026-06-29 12:45:05,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2263 }, { "timestamp": "2026-06-29 12:45:05,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2264 }, { "timestamp": "2026-06-29 12:45:05,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2265 }, { "timestamp": "2026-06-29 12:45:05,843", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2266 }, { "timestamp": "2026-06-29 12:45:05,859", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2267 }, { "timestamp": "2026-06-29 12:45:05,859", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2268 }, { "timestamp": "2026-06-29 12:45:05,874", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2269 }, { "timestamp": "2026-06-29 12:45:05,890", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2270 }, { "timestamp": "2026-06-29 12:45:05,890", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2271 }, { "timestamp": "2026-06-29 12:45:05,890", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2272 }, { "timestamp": "2026-06-29 12:45:05,890", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2273 }, { "timestamp": "2026-06-29 12:45:05,890", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2274 }, { "timestamp": "2026-06-29 12:45:05,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2275 }, { "timestamp": "2026-06-29 12:45:05,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2276 }, { "timestamp": "2026-06-29 12:45:05,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2277 }, { "timestamp": "2026-06-29 12:45:05,906", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2278 }, { "timestamp": "2026-06-29 12:45:05,937", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2279 }, { "timestamp": "2026-06-29 12:45:05,937", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2280 }, { "timestamp": "2026-06-29 12:45:05,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2281 }, { "timestamp": "2026-06-29 12:45:05,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2282 }, { "timestamp": "2026-06-29 12:45:05,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2283 }, { "timestamp": "2026-06-29 12:45:05,952", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2284 }, { "timestamp": "2026-06-29 12:45:05,968", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2285 }, { "timestamp": "2026-06-29 12:45:05,968", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2286 }, { "timestamp": "2026-06-29 12:45:05,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2287 }, { "timestamp": "2026-06-29 12:45:05,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2288 }, { "timestamp": "2026-06-29 12:45:05,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2289 }, { "timestamp": "2026-06-29 12:45:05,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2290 }, { "timestamp": "2026-06-29 12:45:05,999", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2291 }, { "timestamp": "2026-06-29 12:45:05,999", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2292 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2293 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2294 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2295 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2296 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2297 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2298 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2299 }, { "timestamp": "2026-06-29 12:45:06,015", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2300 }, { "timestamp": "2026-06-29 12:45:06,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2301 }, { "timestamp": "2026-06-29 12:45:06,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2302 }, { "timestamp": "2026-06-29 12:45:06,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2303 }, { "timestamp": "2026-06-29 12:45:06,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2304 }, { "timestamp": "2026-06-29 12:45:06,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2305 }, { "timestamp": "2026-06-29 12:45:06,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2306 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2307 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2308 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2309 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2310 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2311 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2312 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2313 }, { "timestamp": "2026-06-29 12:45:06,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2314 }, { "timestamp": "2026-06-29 12:45:06,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2315 }, { "timestamp": "2026-06-29 12:45:06,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2316 }, { "timestamp": "2026-06-29 12:45:06,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2317 }, { "timestamp": "2026-06-29 12:45:06,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2318 }, { "timestamp": "2026-06-29 12:45:06,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2319 }, { "timestamp": "2026-06-29 12:45:06,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2320 }, { "timestamp": "2026-06-29 12:45:06,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2321 }, { "timestamp": "2026-06-29 12:45:06,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2322 }, { "timestamp": "2026-06-29 12:45:06,124", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2323 }, { "timestamp": "2026-06-29 12:45:06,124", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2324 }, { "timestamp": "2026-06-29 12:45:06,140", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2325 }, { "timestamp": "2026-06-29 12:45:06,140", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2326 }, { "timestamp": "2026-06-29 12:45:06,140", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2327 }, { "timestamp": "2026-06-29 12:45:06,140", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2328 }, { "timestamp": "2026-06-29 12:45:06,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2329 }, { "timestamp": "2026-06-29 12:45:06,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2330 }, { "timestamp": "2026-06-29 12:45:06,187", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2331 }, { "timestamp": "2026-06-29 12:45:06,187", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2332 }, { "timestamp": "2026-06-29 12:45:06,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2333 }, { "timestamp": "2026-06-29 12:45:06,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2334 }, { "timestamp": "2026-06-29 12:45:06,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2335 }, { "timestamp": "2026-06-29 12:45:06,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2336 }, { "timestamp": "2026-06-29 12:45:06,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2337 }, { "timestamp": "2026-06-29 12:45:06,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2338 }, { "timestamp": "2026-06-29 12:45:06,218", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2339 }, { "timestamp": "2026-06-29 12:45:06,218", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2340 }, { "timestamp": "2026-06-29 12:45:06,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2341 }, { "timestamp": "2026-06-29 12:45:06,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2342 }, { "timestamp": "2026-06-29 12:45:06,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2343 }, { "timestamp": "2026-06-29 12:45:06,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2344 }, { "timestamp": "2026-06-29 12:45:06,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2345 }, { "timestamp": "2026-06-29 12:45:06,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2346 }, { "timestamp": "2026-06-29 12:45:06,234", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2347 }, { "timestamp": "2026-06-29 12:45:06,234", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2348 }, { "timestamp": "2026-06-29 12:45:06,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2349 }, { "timestamp": "2026-06-29 12:45:06,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2350 }, { "timestamp": "2026-06-29 12:45:06,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2351 }, { "timestamp": "2026-06-29 12:45:06,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2352 }, { "timestamp": "2026-06-29 12:45:06,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2353 }, { "timestamp": "2026-06-29 12:45:06,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2354 }, { "timestamp": "2026-06-29 12:45:06,265", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2355 }, { "timestamp": "2026-06-29 12:45:06,265", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2356 }, { "timestamp": "2026-06-29 12:45:06,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2357 }, { "timestamp": "2026-06-29 12:45:06,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2358 }, { "timestamp": "2026-06-29 12:45:06,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2359 }, { "timestamp": "2026-06-29 12:45:06,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2360 }, { "timestamp": "2026-06-29 12:45:06,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2361 }, { "timestamp": "2026-06-29 12:45:06,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2362 }, { "timestamp": "2026-06-29 12:45:06,327", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2363 }, { "timestamp": "2026-06-29 12:45:06,327", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2364 }, { "timestamp": "2026-06-29 12:45:06,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2365 }, { "timestamp": "2026-06-29 12:45:06,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2366 }, { "timestamp": "2026-06-29 12:45:06,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2367 }, { "timestamp": "2026-06-29 12:45:06,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2368 }, { "timestamp": "2026-06-29 12:45:06,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2369 }, { "timestamp": "2026-06-29 12:45:06,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2370 }, { "timestamp": "2026-06-29 12:45:06,343", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2371 }, { "timestamp": "2026-06-29 12:45:06,343", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2372 }, { "timestamp": "2026-06-29 12:45:06,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2373 }, { "timestamp": "2026-06-29 12:45:06,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2374 }, { "timestamp": "2026-06-29 12:45:06,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2375 }, { "timestamp": "2026-06-29 12:45:06,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2376 }, { "timestamp": "2026-06-29 12:45:06,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2377 }, { "timestamp": "2026-06-29 12:45:06,359", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2378 }, { "timestamp": "2026-06-29 12:45:06,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2379 }, { "timestamp": "2026-06-29 12:45:06,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2380 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2381 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2382 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2383 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2384 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2385 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2386 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2387 }, { "timestamp": "2026-06-29 12:45:06,390", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2388 }, { "timestamp": "2026-06-29 12:45:06,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2389 }, { "timestamp": "2026-06-29 12:45:06,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2390 }, { "timestamp": "2026-06-29 12:45:06,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2391 }, { "timestamp": "2026-06-29 12:45:06,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2392 }, { "timestamp": "2026-06-29 12:45:06,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2393 }, { "timestamp": "2026-06-29 12:45:06,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2394 }, { "timestamp": "2026-06-29 12:45:06,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2395 }, { "timestamp": "2026-06-29 12:45:06,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2396 }, { "timestamp": "2026-06-29 12:45:06,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2397 }, { "timestamp": "2026-06-29 12:45:06,437", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2398 }, { "timestamp": "2026-06-29 12:45:06,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2399 }, { "timestamp": "2026-06-29 12:45:06,484", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2400 }, { "timestamp": "2026-06-29 12:45:06,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2401 }, { "timestamp": "2026-06-29 12:45:06,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2402 }, { "timestamp": "2026-06-29 12:45:06,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2403 }, { "timestamp": "2026-06-29 12:45:06,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2404 }, { "timestamp": "2026-06-29 12:45:06,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2405 }, { "timestamp": "2026-06-29 12:45:06,499", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2406 }, { "timestamp": "2026-06-29 12:45:06,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2407 }, { "timestamp": "2026-06-29 12:45:06,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2408 }, { "timestamp": "2026-06-29 12:45:06,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2409 }, { "timestamp": "2026-06-29 12:45:06,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2410 }, { "timestamp": "2026-06-29 12:45:06,531", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2411 }, { "timestamp": "2026-06-29 12:45:06,531", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2412 }, { "timestamp": "2026-06-29 12:45:06,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2413 }, { "timestamp": "2026-06-29 12:45:06,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2414 }, { "timestamp": "2026-06-29 12:45:06,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2415 }, { "timestamp": "2026-06-29 12:45:06,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2416 }, { "timestamp": "2026-06-29 12:45:06,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2417 }, { "timestamp": "2026-06-29 12:45:06,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2418 }, { "timestamp": "2026-06-29 12:45:06,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2419 }, { "timestamp": "2026-06-29 12:45:06,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2420 }, { "timestamp": "2026-06-29 12:45:06,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2421 }, { "timestamp": "2026-06-29 12:45:06,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2422 }, { "timestamp": "2026-06-29 12:45:06,609", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2423 }, { "timestamp": "2026-06-29 12:45:06,609", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2424 }, { "timestamp": "2026-06-29 12:45:06,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2425 }, { "timestamp": "2026-06-29 12:45:06,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2426 }, { "timestamp": "2026-06-29 12:45:06,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2427 }, { "timestamp": "2026-06-29 12:45:06,609", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2428 }, { "timestamp": "2026-06-29 12:45:06,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2429 }, { "timestamp": "2026-06-29 12:45:06,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2430 }, { "timestamp": "2026-06-29 12:45:06,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2431 }, { "timestamp": "2026-06-29 12:45:06,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2432 }, { "timestamp": "2026-06-29 12:45:06,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2433 }, { "timestamp": "2026-06-29 12:45:06,640", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2434 }, { "timestamp": "2026-06-29 12:45:06,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2435 }, { "timestamp": "2026-06-29 12:45:06,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2436 }, { "timestamp": "2026-06-29 12:45:07,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2437 }, { "timestamp": "2026-06-29 12:45:07,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2438 }, { "timestamp": "2026-06-29 12:45:07,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2439 }, { "timestamp": "2026-06-29 12:45:07,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2440 }, { "timestamp": "2026-06-29 12:45:07,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2441 }, { "timestamp": "2026-06-29 12:45:07,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2442 }, { "timestamp": "2026-06-29 12:45:07,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2443 }, { "timestamp": "2026-06-29 12:45:07,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2444 }, { "timestamp": "2026-06-29 12:45:07,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2445 }, { "timestamp": "2026-06-29 12:45:07,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2446 }, { "timestamp": "2026-06-29 12:45:07,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2447 }, { "timestamp": "2026-06-29 12:45:07,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2448 }, { "timestamp": "2026-06-29 12:45:07,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2449 }, { "timestamp": "2026-06-29 12:45:07,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2450 }, { "timestamp": "2026-06-29 12:45:07,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2451 }, { "timestamp": "2026-06-29 12:45:07,656", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2452 }, { "timestamp": "2026-06-29 12:45:07,702", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2453 }, { "timestamp": "2026-06-29 12:45:07,702", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2454 }, { "timestamp": "2026-06-29 12:45:07,781", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2455 }, { "timestamp": "2026-06-29 12:45:07,781", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2456 }, { "timestamp": "2026-06-29 12:45:07,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2457 }, { "timestamp": "2026-06-29 12:45:07,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2458 }, { "timestamp": "2026-06-29 12:45:07,843", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2459 }, { "timestamp": "2026-06-29 12:45:07,843", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2460 }, { "timestamp": "2026-06-29 12:45:07,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2461 }, { "timestamp": "2026-06-29 12:45:07,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2462 }, { "timestamp": "2026-06-29 12:45:07,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2463 }, { "timestamp": "2026-06-29 12:45:07,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2464 }, { "timestamp": "2026-06-29 12:45:07,984", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2465 }, { "timestamp": "2026-06-29 12:45:07,984", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2466 }, { "timestamp": "2026-06-29 12:45:08,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2467 }, { "timestamp": "2026-06-29 12:45:08,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2468 }, { "timestamp": "2026-06-29 12:45:08,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2469 }, { "timestamp": "2026-06-29 12:45:08,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2470 }, { "timestamp": "2026-06-29 12:45:08,124", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2471 }, { "timestamp": "2026-06-29 12:45:08,124", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2472 }, { "timestamp": "2026-06-29 12:45:08,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2473 }, { "timestamp": "2026-06-29 12:45:08,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2474 }, { "timestamp": "2026-06-29 12:45:08,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2475 }, { "timestamp": "2026-06-29 12:45:08,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2476 }, { "timestamp": "2026-06-29 12:45:08,312", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2477 }, { "timestamp": "2026-06-29 12:45:08,312", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2478 }, { "timestamp": "2026-06-29 12:45:08,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2479 }, { "timestamp": "2026-06-29 12:45:08,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2480 }, { "timestamp": "2026-06-29 12:45:08,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2481 }, { "timestamp": "2026-06-29 12:45:08,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2482 }, { "timestamp": "2026-06-29 12:45:08,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2483 }, { "timestamp": "2026-06-29 12:45:08,468", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2484 }, { "timestamp": "2026-06-29 12:45:08,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2485 }, { "timestamp": "2026-06-29 12:45:08,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2486 }, { "timestamp": "2026-06-29 12:45:08,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2487 }, { "timestamp": "2026-06-29 12:45:08,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2488 }, { "timestamp": "2026-06-29 12:45:08,609", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2489 }, { "timestamp": "2026-06-29 12:45:08,609", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2490 }, { "timestamp": "2026-06-29 12:45:08,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2491 }, { "timestamp": "2026-06-29 12:45:08,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2492 }, { "timestamp": "2026-06-29 12:45:08,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2493 }, { "timestamp": "2026-06-29 12:45:08,702", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2494 }, { "timestamp": "2026-06-29 12:45:08,749", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2495 }, { "timestamp": "2026-06-29 12:45:08,749", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2496 }, { "timestamp": "2026-06-29 12:45:08,874", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2497 }, { "timestamp": "2026-06-29 12:45:08,874", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2498 }, { "timestamp": "2026-06-29 12:45:08,874", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2499 }, { "timestamp": "2026-06-29 12:45:08,874", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2500 }, { "timestamp": "2026-06-29 12:45:08,921", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2501 }, { "timestamp": "2026-06-29 12:45:08,921", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2502 }, { "timestamp": "2026-06-29 12:45:09,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2503 }, { "timestamp": "2026-06-29 12:45:09,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2504 }, { "timestamp": "2026-06-29 12:45:09,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2505 }, { "timestamp": "2026-06-29 12:45:09,015", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2506 }, { "timestamp": "2026-06-29 12:45:09,062", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2507 }, { "timestamp": "2026-06-29 12:45:09,062", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2508 }, { "timestamp": "2026-06-29 12:45:09,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2509 }, { "timestamp": "2026-06-29 12:45:09,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2510 }, { "timestamp": "2026-06-29 12:45:09,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2511 }, { "timestamp": "2026-06-29 12:45:09,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2512 }, { "timestamp": "2026-06-29 12:45:09,218", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2513 }, { "timestamp": "2026-06-29 12:45:09,218", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2514 }, { "timestamp": "2026-06-29 12:45:09,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2515 }, { "timestamp": "2026-06-29 12:45:09,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2516 }, { "timestamp": "2026-06-29 12:45:09,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2517 }, { "timestamp": "2026-06-29 12:45:09,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2518 }, { "timestamp": "2026-06-29 12:45:09,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2519 }, { "timestamp": "2026-06-29 12:45:09,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2520 }, { "timestamp": "2026-06-29 12:45:09,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2521 }, { "timestamp": "2026-06-29 12:45:09,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2522 }, { "timestamp": "2026-06-29 12:45:09,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2523 }, { "timestamp": "2026-06-29 12:45:09,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2524 }, { "timestamp": "2026-06-29 12:45:09,546", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2525 }, { "timestamp": "2026-06-29 12:45:09,546", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2526 }, { "timestamp": "2026-06-29 12:45:09,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2527 }, { "timestamp": "2026-06-29 12:45:09,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2528 }, { "timestamp": "2026-06-29 12:45:09,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2529 }, { "timestamp": "2026-06-29 12:45:09,765", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2530 }, { "timestamp": "2026-06-29 12:45:10,031", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2531 }, { "timestamp": "2026-06-29 12:45:10,031", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2532 }, { "timestamp": "2026-06-29 12:45:10,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2533 }, { "timestamp": "2026-06-29 12:45:10,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2534 }, { "timestamp": "2026-06-29 12:45:10,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2535 }, { "timestamp": "2026-06-29 12:45:10,296", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2536 }, { "timestamp": "2026-06-29 12:45:10,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2537 }, { "timestamp": "2026-06-29 12:45:10,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2538 }, { "timestamp": "2026-06-29 12:45:10,531", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af1e0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2539 }, { "timestamp": "2026-06-29 12:45:10,546", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2540 }, { "timestamp": "2026-06-29 12:45:10,546", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 1, "id": 2541 }, { "timestamp": "2026-06-29 12:45:13,312", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcc3ac", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 6, "id": 2542 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2543 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2544 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2545 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2546 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5ae5a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2547 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2548 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 2549 }, { "timestamp": "2026-06-29 12:45:13,327", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 2550 }, { "timestamp": "2026-06-29 12:45:13,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2551 }, { "timestamp": "2026-06-29 12:45:13,343", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2552 }, { "timestamp": "2026-06-29 12:45:13,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2553 }, { "timestamp": "2026-06-29 12:45:13,374", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2554 }, { "timestamp": "2026-06-29 12:45:13,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2555 }, { "timestamp": "2026-06-29 12:45:13,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2556 }, { "timestamp": "2026-06-29 12:45:13,421", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2557 }, { "timestamp": "2026-06-29 12:45:13,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2558 }, { "timestamp": "2026-06-29 12:45:13,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2559 }, { "timestamp": "2026-06-29 12:45:13,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2560 }, { "timestamp": "2026-06-29 12:45:13,546", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2561 }, { "timestamp": "2026-06-29 12:45:13,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2562 }, { "timestamp": "2026-06-29 12:45:13,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2563 }, { "timestamp": "2026-06-29 12:45:13,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2564 }, { "timestamp": "2026-06-29 12:45:13,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2565 }, { "timestamp": "2026-06-29 12:45:13,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2566 }, { "timestamp": "2026-06-29 12:45:13,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2567 }, { "timestamp": "2026-06-29 12:45:14,031", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2568 }, { "timestamp": "2026-06-29 12:45:14,046", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2569 }, { "timestamp": "2026-06-29 12:45:14,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2570 }, { "timestamp": "2026-06-29 12:45:14,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2571 }, { "timestamp": "2026-06-29 12:45:14,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2572 }, { "timestamp": "2026-06-29 12:45:14,406", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2573 }, { "timestamp": "2026-06-29 12:45:14,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0c0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2574 }, { "timestamp": "2026-06-29 12:45:14,452", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2575 }, { "timestamp": "2026-06-29 12:45:15,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2576 }, { "timestamp": "2026-06-29 12:45:15,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2577 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2578 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2579 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2580 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2581 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2582 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2583 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2584 }, { "timestamp": "2026-06-29 12:45:15,187", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2585 }, { "timestamp": "2026-06-29 12:45:15,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2586 }, { "timestamp": "2026-06-29 12:45:15,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2587 }, { "timestamp": "2026-06-29 12:45:15,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2588 }, { "timestamp": "2026-06-29 12:45:15,202", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2589 }, { "timestamp": "2026-06-29 12:45:15,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2590 }, { "timestamp": "2026-06-29 12:45:15,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2591 }, { "timestamp": "2026-06-29 12:45:15,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2592 }, { "timestamp": "2026-06-29 12:45:15,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2593 }, { "timestamp": "2026-06-29 12:45:15,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2594 }, { "timestamp": "2026-06-29 12:45:15,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2595 }, { "timestamp": "2026-06-29 12:45:15,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2596 }, { "timestamp": "2026-06-29 12:45:15,234", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2597 }, { "timestamp": "2026-06-29 12:45:15,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2598 }, { "timestamp": "2026-06-29 12:45:15,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2599 }, { "timestamp": "2026-06-29 12:45:15,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2600 }, { "timestamp": "2026-06-29 12:45:15,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2601 }, { "timestamp": "2026-06-29 12:45:15,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2602 }, { "timestamp": "2026-06-29 12:45:15,249", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2603 }, { "timestamp": "2026-06-29 12:45:15,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2604 }, { "timestamp": "2026-06-29 12:45:15,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2605 }, { "timestamp": "2026-06-29 12:45:15,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2606 }, { "timestamp": "2026-06-29 12:45:15,265", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2607 }, { "timestamp": "2026-06-29 12:45:15,265", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2608 }, { "timestamp": "2026-06-29 12:45:15,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2609 }, { "timestamp": "2026-06-29 12:45:15,281", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2610 }, { "timestamp": "2026-06-29 12:45:15,624", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af1e0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2611 }, { "timestamp": "2026-06-29 12:45:15,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2612 }, { "timestamp": "2026-06-29 12:45:15,640", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 2613 }, { "timestamp": "2026-06-29 12:45:18,156", "thread_id": "5524", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5524" } ], "repeated": 0, "id": 2614 }, { "timestamp": "2026-06-29 12:45:18,156", "thread_id": "5520", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2615 }, { "timestamp": "2026-06-29 12:45:21,859", "thread_id": "5680", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a977b101", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000388" } ], "repeated": 0, "id": 2616 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcc3ac", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 6, "id": 2617 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2618 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2619 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2620 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2621 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5ae5a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2622 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2623 }, { "timestamp": "2026-06-29 12:45:24,921", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2624 }, { "timestamp": "2026-06-29 12:45:24,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2625 }, { "timestamp": "2026-06-29 12:45:24,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2626 }, { "timestamp": "2026-06-29 12:45:24,937", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 2627 }, { "timestamp": "2026-06-29 12:45:24,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2628 }, { "timestamp": "2026-06-29 12:45:24,937", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2629 }, { "timestamp": "2026-06-29 12:45:24,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2630 }, { "timestamp": "2026-06-29 12:45:24,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2631 }, { "timestamp": "2026-06-29 12:45:24,968", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2632 }, { "timestamp": "2026-06-29 12:45:24,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2633 }, { "timestamp": "2026-06-29 12:45:24,968", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2634 }, { "timestamp": "2026-06-29 12:45:36,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2635 }, { "timestamp": "2026-06-29 12:45:36,499", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2636 }, { "timestamp": "2026-06-29 12:45:36,562", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2637 }, { "timestamp": "2026-06-29 12:45:36,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2638 }, { "timestamp": "2026-06-29 12:45:36,562", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2639 }, { "timestamp": "2026-06-29 12:45:39,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2640 }, { "timestamp": "2026-06-29 12:45:39,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2641 }, { "timestamp": "2026-06-29 12:45:39,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2642 }, { "timestamp": "2026-06-29 12:45:39,062", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2643 }, { "timestamp": "2026-06-29 12:45:39,109", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2644 }, { "timestamp": "2026-06-29 12:45:39,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2645 }, { "timestamp": "2026-06-29 12:45:39,109", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2646 }, { "timestamp": "2026-06-29 12:45:42,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2647 }, { "timestamp": "2026-06-29 12:45:42,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2648 }, { "timestamp": "2026-06-29 12:45:42,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2649 }, { "timestamp": "2026-06-29 12:45:42,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2650 }, { "timestamp": "2026-06-29 12:45:42,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2651 }, { "timestamp": "2026-06-29 12:45:42,093", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2652 }, { "timestamp": "2026-06-29 12:45:42,093", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2653 }, { "timestamp": "2026-06-29 12:45:45,999", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2654 }, { "timestamp": "2026-06-29 12:45:48,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2655 }, { "timestamp": "2026-06-29 12:45:48,984", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2656 }, { "timestamp": "2026-06-29 12:45:49,046", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2657 }, { "timestamp": "2026-06-29 12:45:49,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2658 }, { "timestamp": "2026-06-29 12:45:49,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2659 }, { "timestamp": "2026-06-29 12:45:58,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2660 }, { "timestamp": "2026-06-29 12:45:58,515", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2661 }, { "timestamp": "2026-06-29 12:45:58,593", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2662 }, { "timestamp": "2026-06-29 12:45:58,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2663 }, { "timestamp": "2026-06-29 12:45:58,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2664 }, { "timestamp": "2026-06-29 12:46:06,406", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af1e0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2665 }, { "timestamp": "2026-06-29 12:46:06,421", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2666 }, { "timestamp": "2026-06-29 12:46:06,437", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e04f6" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 1, "id": 2667 }, { "timestamp": "2026-06-29 12:46:14,484", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbb57", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 6, "id": 2668 }, { "timestamp": "2026-06-29 12:46:14,499", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2669 }, { "timestamp": "2026-06-29 12:46:14,499", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2670 }, { "timestamp": "2026-06-29 12:46:14,499", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2671 }, { "timestamp": "2026-06-29 12:46:14,499", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2672 }, { "timestamp": "2026-06-29 12:46:14,499", "thread_id": "5436", "caller": "0x7ff737dcbabc", "parentcaller": "0x7ff737dcbabc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5adc70" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2673 }, { "timestamp": "2026-06-29 12:46:14,577", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2674 }, { "timestamp": "2026-06-29 12:46:14,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2675 }, { "timestamp": "2026-06-29 12:46:14,593", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2676 }, { "timestamp": "2026-06-29 12:46:17,109", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 1, "id": 2677 }, { "timestamp": "2026-06-29 12:46:21,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2678 }, { "timestamp": "2026-06-29 12:46:21,031", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2679 }, { "timestamp": "2026-06-29 12:46:21,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2680 }, { "timestamp": "2026-06-29 12:46:21,046", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2681 }, { "timestamp": "2026-06-29 12:46:21,093", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2682 }, { "timestamp": "2026-06-29 12:46:21,093", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2683 }, { "timestamp": "2026-06-29 12:46:21,093", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2684 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9a977afad", "parentcaller": "0x7ff9a977add9", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "16" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5680" } ], "repeated": 0, "id": 2685 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a977af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000388" } ], "repeated": 0, "id": 2686 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9a96de87e", "parentcaller": "0x7ff9a977af54", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2687 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a977b2b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000374" } ], "repeated": 0, "id": 2688 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9a84a83ba", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5680" } ], "repeated": 0, "id": 2689 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2690 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2691 }, { "timestamp": "2026-06-29 12:46:21,218", "thread_id": "5680", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9a84a83ba", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2692 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5684", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5684" } ], "repeated": 0, "id": 2693 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5672", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5672" } ], "repeated": 0, "id": 2694 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5672", "caller": "0x7ff9aaa4ea52", "parentcaller": "0x7ff9aaa074ed", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 2695 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5684", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f032", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 2696 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5684", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f0f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b8" } ], "repeated": 0, "id": 2697 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5684", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2698 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5672", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f032", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 2699 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5672", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f0f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 2700 }, { "timestamp": "2026-06-29 12:46:32,156", "thread_id": "5672", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 2701 }, { "timestamp": "2026-06-29 12:46:49,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2702 }, { "timestamp": "2026-06-29 12:46:49,749", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2703 }, { "timestamp": "2026-06-29 12:46:49,827", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2704 }, { "timestamp": "2026-06-29 12:46:49,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2705 }, { "timestamp": "2026-06-29 12:46:49,827", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2706 }, { "timestamp": "2026-06-29 12:46:52,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2707 }, { "timestamp": "2026-06-29 12:46:52,156", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2708 }, { "timestamp": "2026-06-29 12:46:52,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2709 }, { "timestamp": "2026-06-29 12:46:52,171", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2710 }, { "timestamp": "2026-06-29 12:46:52,218", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2711 }, { "timestamp": "2026-06-29 12:46:52,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2712 }, { "timestamp": "2026-06-29 12:46:52,218", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2713 }, { "timestamp": "2026-06-29 12:47:08,312", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 1, "id": 2714 }, { "timestamp": "2026-06-29 12:47:12,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2715 }, { "timestamp": "2026-06-29 12:47:12,796", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 2716 }, { "timestamp": "2026-06-29 12:47:12,812", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2717 }, { "timestamp": "2026-06-29 12:47:12,812", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2718 }, { "timestamp": "2026-06-29 12:47:12,859", "thread_id": "5436", "caller": "0x7ff737dcc3ac", "parentcaller": "0x7ff737de59b6", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5af0a0" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2719 }, { "timestamp": "2026-06-29 12:47:12,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00002006" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 2720 }, { "timestamp": "2026-06-29 12:47:12,859", "thread_id": "5436", "caller": "0x7ff737dcc394", "parentcaller": "0x7ff737de59b6", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 2721 }, { "timestamp": "2026-06-29 12:47:14,921", "thread_id": "5436", "caller": "0x7ff737dcc034", "parentcaller": "0x7ff737dcbb57", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x2e2b5add20" }, { "name": "EventName", "value": "Local\\2ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 2722 } ], "threads": [ "5436", "5556", "5552", "5548", "5544", "5672", "5680", "5684", "5524", "5520" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff737dc0000", "MainExeSize": "0x0003a000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 5760, "process_name": "dllhost.exe", "parent_id": 756, "module_path": "C:\\Windows\\System32\\dllhost.exe", "first_seen": "2026-06-29 12:44:46,531", "calls": [ { "timestamp": "2026-06-29 12:44:47,312", "thread_id": "4664", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 12:44:47,312", "thread_id": "4664", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6f8be14e0" }, { "name": "Parameter", "value": "0xae04ed5000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be12f2", "parentcaller": "0x7ff6f8be13bb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e577000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be12f2", "parentcaller": "0x7ff6f8be13bb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e578000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1349", "parentcaller": "0x7ff6f8be13dc", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff6f8be1b60" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "5884", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "5884", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62f10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000202" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "5360", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "5360", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a63070" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 11 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "5340", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "5340", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62e50" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4664" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000208" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000208" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a603f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-29 12:44:47,327", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "InitRoutine", "value": "0x7ff9a6033f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "5356", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "5356", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62a40" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000218" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000218" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x86A\\xd5\\x1a\\x12\\x90\\xbc\\xe3e@_\\xc4\\xbb\\xa4\\x17h\\xe2O\\xc8\\xbf\\xed\\xf9\\xb0\\xd9\\x99q\\xfe\\x0b\\x1e\\xf4d\\xf6\\xc8: 8%\\xbc[\\x88\\x9d\\xb1\\xab\\xe8\\x8d\\x97\\xd5_" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e57a000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CLSIDFromOle1Class" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97680a0" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000230" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xf2\\xd4\\x04\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\xf2\\xd4\\x04\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "MutexName", "value": "Local\\SM0:5760:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e580000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000244" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000244" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551fe40000" }, { "name": "SectionOffset", "value": "0xae04d4f2e0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x00000248" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "ValueName", "value": "Com+Enabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000248" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "clbcatq.dll" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-29 12:44:47,343", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000248" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a96a4000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "EventName", "value": "\\KernelObjects\\MaximumCommitCondition" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\clbcatq" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "InitRoutine", "value": "0x7ff9a961d990" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551fe50000" }, { "name": "SectionOffset", "value": "0xae04d4f030" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x00000256" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000256" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "LocalService" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "RunAs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "ActivateAtStorage" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x0000025a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000025a" }, { "name": "ValueName", "value": "ROTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000025a" }, { "name": "ValueName", "value": "AppIDFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000025a" }, { "name": "ValueName", "value": "MGOTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000025a" }, { "name": "ValueName", "value": "ProcessMitigationPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025a" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x00000258" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "LegacyAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "LegacyImpersonationLevel" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "RemoteServerName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "SRPTrustLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-29 12:44:47,359", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "PreferredServerBitness" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "LoadUserSettings" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xeb\\xd4\\x04\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x10\\xf5\\xd4\\x04\\xae\\x00\\x00\\x00\\x90`\\x9b\\xa9\\xf9\\x7f\\x00\\x00" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000001f8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000001f8" }, { "name": "SubKey", "value": "Software\\Classes" }, { "name": "Handle", "value": "0x000001f4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000256" }, { "name": "ValueName", "value": "ProtectionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000256" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e582000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000258" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000258" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "RaiseActivationAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000258" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xea\\xd4\\x04\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xb0\\xea\\xd4\\x04\\xae\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000025e" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x0000025a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000025a" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000260" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000260" }, { "name": "ValueName", "value": "RaiseDefaultAuthnLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000025a" }, { "name": "ValueName", "value": "AccessPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AccessPermission" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025a" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x00000258" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "DefaultAccessPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000260" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x0eX\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00002100" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e584000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xef\\xd4\\x04\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x01F\\xa8\\xf9\\x7f\\x00\\x00\\x15 \r\\x042'\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00001680" }, { "name": "EventName", "value": "MSFT.VSA.COM.DISABLE.5760" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.IEC.STATUS.6c736db0" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e586000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000025e" }, { "name": "SubKey", "value": "Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x0000026e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000026e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000272" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000272" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000272" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026e" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Rpc\\Extensions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000026c" }, { "name": "ValueName", "value": "NdrOleExtDLL" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "combase.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "NdrOleInitializeExtension" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97850f0" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9747c50" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96dc030" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000270" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8\\x1fW\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0 W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\xcf \\x96\\xf0\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xf3\\xfc\\xa7\\xf9\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\x0eX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8dU\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x85\\x17\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x90\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\x88\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00X\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00x\\xe5\\xd4\\x04" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8dU\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00x\\xe3\\xd4\\x04\\xae\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e588000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h%W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P!W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\x12X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x17X\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xe5\\x13\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xf0\\xe1\\xd4\\x04\\xae\\x00\\x00\\x00\\xe8\\xe1\\xd4\\x04\\xae\\x00\\x00\\x00\\xb8\\xe1\\xd4\\x04\\xae\\x00\\x00\\x00\\xd8\\xe1\\xd4\\x04" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x17X\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xd8\\xdf\\xd4\\x04\\xae\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e58a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000274" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2551e577480" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "4932" }, { "name": "ProcessId", "value": "5760" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000274", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2551e577480" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4932" }, { "name": "ProcessId", "value": "5760" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4932", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000027c" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4932", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2551e577480" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8'W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00`.W\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P!W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x12X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8dU\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00u*\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00`\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00X\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00(\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00H\\xe9\\xd4\\x04" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8dU\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xe7\\xd4\\x04\\xae\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8%W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0!W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00k\\x00e\\x00r\\x00n\\x00e\\x00l\\x00.\\x00a\\x00p\\x00p\\x00c\\x00o\\x00r\\x00e\\x00.\\x00d\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "X\\x12X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x17X\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xd5\\x17\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xc0\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xb8\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\x88\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xa8\\xe5\\xd4\\x04" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x17X\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xe3\\xd4\\x04\\xae\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000274" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H!W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0%W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x18\\x10X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8dU\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00u*\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00`\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00X\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00(\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00H\\xe9\\xd4\\x04" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8dU\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xe7\\xd4\\x04\\xae\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8!W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00k\\x00e\\x00r\\x00n\\x00e\\x00l\\x00.\\x00a\\x00p\\x00p\\x00c\\x00o\\x00r\\x00e\\x00" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10\"W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x12X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x17X\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xd5\\x17\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xc0\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xb8\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\x88\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xa8\\xe5\\xd4\\x04" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x17X\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xe3\\xd4\\x04\\xae\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e58c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000027c" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H!W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0!W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00k\\x00e\\x00r\\x00n\\x00e\\x00l\\x00.\\x00a\\x00p\\x00p\\x00c\\x00o\\x00r\\x00e\\x00.\\x00d\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\x0eX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8dU\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00u*\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00`\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00X\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00(\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00H\\xe9\\xd4\\x04" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8dU\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xe7\\xd4\\x04\\xae\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08\"W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0%W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x18\rX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x17X\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xd5\\x17\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xc0\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xb8\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\x88\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xa8\\xe5\\xd4\\x04" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x17X\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xe3\\xd4\\x04\\xae\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000274" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8%W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "0&W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\x0fX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8dU\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00u*\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00`\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00X\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00(\\xe9\\xd4\\x04\\xae\\x00\\x00\\x00H\\xe9\\xd4\\x04" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8dU\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xe7\\xd4\\x04\\xae\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H!W\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0!W\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00k\\x00e\\x00r\\x00n\\x00e\\x00l\\x00.\\x00a\\x00p\\x00p\\x00c\\x00o\\x00r\\x00e\\x00.\\x00d\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x12X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x17X\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xd5\\x17\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xc0\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xb8\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\x88\\xe5\\xd4\\x04\\xae\\x00\\x00\\x00\\xa8\\xe5\\xd4\\x04" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x17X\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xe3\\xd4\\x04\\xae\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "2808", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "2808", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x2551e550b50" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "2808", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e58d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "2808", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000027c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-29 12:44:47,374", "thread_id": "2808", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e58e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000290" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2551e577340" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "2800" }, { "name": "ProcessId", "value": "5760" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000290", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2551e577340" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2800" }, { "name": "ProcessId", "value": "5760" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "4660", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "4660", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x2551e550b50" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "2800", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "2800", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x2551e577340" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "2800", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "2800", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-29 12:44:47,390", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9aa782e57", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9aa782e57", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9aa782e57", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a5b50000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9aa782ebb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a5b50000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a5b57ce0" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a5b57d20", "parentcaller": "0x7ff9aa78308c", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9aaa067b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xec\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa067ec", "parentcaller": "0x7ff9a84b15f0", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845f960", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845f984", "parentcaller": "0x7ff9a845eb81", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e5d4", "parentcaller": "0x7ff9a5b8e309", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e608", "parentcaller": "0x7ff9a5b8e309", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a5b5889c", "parentcaller": "0x7ff9a5b580dc", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002ac" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e593000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a9bff351", "parentcaller": "0x7ff9a9bfd90f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002b0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a9bff42f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002b4" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa69b6e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x98+Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " 'Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\x11X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x17X\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00e/F\\x052'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00p\\xee\\x9f\\x05\\xae\\x00\\x00\\x00h\\xee\\x9f\\x05\\xae\\x00\\x00\\x008\\xee\\x9f\\x05\\xae\\x00\\x00\\x00X\\xee\\x9f\\x05" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x17X\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xec\\x9f\\x05\\xae\\x00\\x00\\x00\\xb4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa2953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "x!Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80*Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\x0fX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb84X\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xc5(F\\x052'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xd0\\xea\\x9f\\x05\\xae\\x00\\x00\\x00\\xc8\\xea\\x9f\\x05\\xae\\x00\\x00\\x00\\x98\\xea\\x9f\\x05\\xae\\x00\\x00\\x00\\xb8\\xea\\x9f\\x05" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb04X\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xe8\\x9f\\x05\\xae\\x00\\x00\\x00\\xb4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4a7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e595000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002b8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002bc" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "x-Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0!Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\x0fX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18HY\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xa5\\x14\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xb0\\xe6\\xd4\\x04\\xae\\x00\\x00\\x00\\xa8\\xe6\\xd4\\x04\\xae\\x00\\x00\\x00x\\xe6\\xd4\\x04\\xae\\x00\\x00\\x00\\x98\\xe6\\xd4\\x04" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10HY\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xe4\\xd4\\x04\\xae\\x00\\x00\\x00\\xbc\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xf8.Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@(Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x0cX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "HJY\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x05\\x10\r\\x042'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x10\\xe3\\xd4\\x04\\xae\\x00\\x00\\x00\\x08\\xe3\\xd4\\x04\\xae\\x00\\x00\\x00\\xd8\\xe2\\xd4\\x04\\xae\\x00\\x00\\x00\\xf8\\xe2\\xd4\\x04" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@JY\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xe0\\xd4\\x04\\xae\\x00\\x00\\x00\\xbc\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e596000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002b4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a9798aa0" }, { "name": "Parameter", "value": "0x2551e57f600" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "5968" }, { "name": "ProcessId", "value": "5760" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002b4", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a9798aa0" }, { "name": "Parameter", "value": "0x2551e57f600" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "5968" }, { "name": "ProcessId", "value": "5760" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" }, { "name": "Milliseconds", "value": "20000" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "5968", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "5968", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a9798aa0" }, { "name": "Parameter", "value": "0x2551e57f600" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "5968", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9798ab9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "5968", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9798ab9", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "Milliseconds", "value": "30000" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "5968", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aa3e703d", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5968" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "5968", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aa3e703d", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002bc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "3340", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e598000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a96da750", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": ">\\xe0\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a96da6fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a9755d3f", "parentcaller": "0x7ff9a96d57c2", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2551e5522f8", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "3340", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "3340", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x2551e550b50" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "3340", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e599000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978516f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785199", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851c3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9747c50" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851ed", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785217", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785241", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96dc030" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978526b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a978507f", "parentcaller": "0x7ff9aaa338b0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002ce" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xbe\\x8f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xce\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb0\\xbf\\x8f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ce" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Class Factory for Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ce" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002d2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Apartment" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xbd\\x8f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xce\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00@\\xbe\\x8f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xbd\\x8f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xce\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00@\\xbe\\x8f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a976c0de", "parentcaller": "0x7ff9a976b5d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000002cc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a976c116", "parentcaller": "0x7ff9a976b5d4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "ValueName", "value": "MaxSxSHashCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a976c12f", "parentcaller": "0x7ff9a976b5d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a9754528", "parentcaller": "0x7ff9a9714d1b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x000002cc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a9754564", "parentcaller": "0x7ff9a9714d1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "ValueName", "value": "GipActivityBypass" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\GipActivityBypass" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a975457d", "parentcaller": "0x7ff9a9714d1b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a9bff351", "parentcaller": "0x7ff9a9bfd90f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002d8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a9bff42f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002dc" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa69b6e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x98(Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " !Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x12X\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "(KY\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x005\\x1aF\\x052'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00 \\xd9\\x9f\\x05\\xae\\x00\\x00\\x00\\x18\\xd9\\x9f\\x05\\xae\\x00\\x00\\x00\\xe8\\xd8\\x9f\\x05\\xae\\x00\\x00\\x00\\x08\\xd9\\x9f\\x05" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 KY\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xd7\\x9f\\x05\\xae\\x00\\x00\\x00\\xdc\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa2953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x98\"Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0&Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00U\\x02\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe8\\x0cX\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18OY\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x95\\x07F\\x052'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x80\\xd5\\x9f\\x05\\xae\\x00\\x00\\x00x\\xd5\\x9f\\x05\\xae\\x00\\x00\\x00H\\xd5\\x9f\\x05\\xae\\x00\\x00\\x00h\\xd5\\x9f\\x05" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10OY\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00h\\xd3\\x9f\\x05\\xae\\x00\\x00\\x00\\xdc\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4a7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a84646e4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551ff80000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8462338", "parentcaller": "0x7ff9a84a9215", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8464b01", "parentcaller": "0x7ff9a84642d1", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 496 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a8464cf6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a8464c2a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551ff90000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a8464cad", "parentcaller": "0x7ff9a8464c5d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e59d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002da" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xc7\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xda\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x10\\xc8\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002da" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Class Factory for Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002da" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002e2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Apartment" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xc5\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xda\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xa0\\xc6\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002da" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xc5\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xda\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xa0\\xc6\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002da" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a972ae1c", "parentcaller": "0x7ff9a9728039", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002da" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer32" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728085", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "AppID" }, { "name": "Data", "value": "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppID" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-29 12:44:47,406", "thread_id": "2800", "caller": "0x7ff9a9785fb3", "parentcaller": "0x7ff9a972b4dc", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002e2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972b507", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002e2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "LocalService" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728527", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "RunAs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728642", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "ActivateAtStorage" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728761", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002e6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a97287b5", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "ROTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728808", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "AppIDFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728858", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "MGOTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a97288ac", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "ProcessMitigationPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a97288cf", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e6" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a97276e8", "parentcaller": "0x7ff9a97288f3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728938", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000002e4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a972897a", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e4" }, { "name": "ValueName", "value": "LegacyAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a97289cd", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" }, { "name": "ValueName", "value": "LegacyImpersonationLevel" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728a06", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728a4b", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "RemoteServerName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728af0", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "SRPTrustLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728b4f", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "PreferredServerBitness" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728bb2", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "LoadUserSettings" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9728c40", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "ProtectionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a972b72a", "parentcaller": "0x7ff9a972821a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9786f8c", "parentcaller": "0x7ff9a97282f0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002da" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002e2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9786fa9", "parentcaller": "0x7ff9a97282f0", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a8464d40", "parentcaller": "0x7ff9a97874a9", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a8464d60", "parentcaller": "0x7ff9a97874a9", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc4\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xda\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xe0\\xc5\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002da" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002da" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a972b02a", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002e2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a972b061", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002e2" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Elevation" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a972b0c5", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002da" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000025e" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002da" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a970953c", "parentcaller": "0x7ff9a970806b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002da" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-29 12:44:47,421", "thread_id": "2800", "caller": "0x7ff9a9708090", "parentcaller": "0x7ff9a96dace7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002da" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ff9a9d30000" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9aaa57be6", "parentcaller": "0x7ff9aaa2dde7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9aaa57be6", "parentcaller": "0x7ff9aaa2dde7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\thumbcache" }, { "name": "DllBase", "value": "0x7ff992850000" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "BaseAddress", "value": "0x7ff992850000" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff992850000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "ModuleHandle", "value": "0x7ff992850000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99286acb0" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "ModuleHandle", "value": "0x7ff992850000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99287c6d0" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "ModuleHandle", "value": "0x7ff992850000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99286c140" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9928b3000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-29 12:44:47,437", "thread_id": "2800", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9928b3000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a96cfb64", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb82", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoGetMarshalSizeMax" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9760fc0" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb9f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbbc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbd9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000025e" }, { "name": "SubKey", "value": "Interface\\{75121952-E0D0-43E5-9380-1D80483ACF72}" }, { "name": "Handle", "value": "0x000002f2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{75121952-E0D0-43E5-9380-1D80483ACF72}" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000002f6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002f2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xb7\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00 \\xb8\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002f2" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f2" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002f6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocServer32" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8491fa9", "parentcaller": "0x7ff9a845e7b6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\propsys.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 613 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xb5\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb0\\xb6\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002f2" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xb5\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb0\\xb6\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002f2" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002f2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb3\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xe0\\xb4\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002f2" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f2" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002f6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocServer32" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8491fa9", "parentcaller": "0x7ff9a845e7b6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\propsys.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 645 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xb2\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00p\\xb3\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002f2" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xb2\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00p\\xb3\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002f2" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a972ae1c", "parentcaller": "0x7ff9a9728039", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer32" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728085", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f2" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\AppID" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xb1\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xf2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\xb0\\xb2\\x9f\\x05\\xae\\x00\\x00\\x00" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002f2" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a972b02a", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000236" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002f6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a972b061", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002f6" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\Elevation" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a972b0c5", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f6" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000025e" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002f2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a970953c", "parentcaller": "0x7ff9a970806b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002f2" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9708090", "parentcaller": "0x7ff9a96dace7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f2" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\propsys" }, { "name": "DllBase", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "BaseAddress", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a2720000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\propsys.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "propsys.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a2720000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a272b820" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "propsys.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a2720000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "propsys.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a2720000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a2756440" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a9bff351", "parentcaller": "0x7ff9a9bfd90f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a9bff42f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000300" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa69b6e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "8\"Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00/Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\xddY\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xa8NY\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00%\\x0fF\\x052'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x000\\xce\\x9f\\x05\\xae\\x00\\x00\\x00(\\xce\\x9f\\x05\\xae\\x00\\x00\\x00\\xf8\\xcd\\x9f\\x05\\xae\\x00\\x00\\x00\\x18\\xce\\x9f\\x05" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0NY\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xcc\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa2953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xf5\\xda\\x19\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X/Y\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0/Y\\x1eU\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xdbY\\x1eU\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x08LY\\x1eU\\x02\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x85\\x08F\\x052'\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x90\\xca\\x9f\\x05\\xae\\x00\\x00\\x00\\x88\\xca\\x9f\\x05\\xae\\x00\\x00\\x00X\\xca\\x9f\\x05\\xae\\x00\\x00\\x00x\\xca\\x9f\\x05" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00LY\\x1eU\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00x\\xc8\\x9f\\x05\\xae\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4a7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-29 12:44:47,452", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "3340", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 731 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 735 }, { "timestamp": "2026-06-29 12:44:47,468", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 742 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 746 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 753 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-06-29 12:44:47,484", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 757 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 764 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 768 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 775 }, { "timestamp": "2026-06-29 12:44:47,499", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4660", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 779 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4660", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "2800", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "2800", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4660", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4660", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000c040a" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 786 }, { "timestamp": "2026-06-29 12:44:47,515", "thread_id": "4664", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff99287c71f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff992869088", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99286731b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99286731b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\thumbcache" }, { "name": "DllBase", "value": "0x7ff992850000" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9d6550f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "5760" }, { "name": "ThreadId", "value": "2800" }, { "name": "Message", "value": "1033" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 794 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a9d4ca48", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9d4ca0b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9d4ca0b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ff9a9d30000" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa60cd0", "parentcaller": "0x7ff9aaa20391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d30000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa60cd0", "parentcaller": "0x7ff9aaa20391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff992850000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a970b7c6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a977af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a96de87e", "parentcaller": "0x7ff9a977af54", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 810 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a977b2b4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000028c" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9a84a83ba", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2800" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a92115b8", "parentcaller": "0x7ff9aaa09a1d", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f032", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f0f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "2800", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9a84a83ba", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 816 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4660", "caller": "0x7ff9a9c3c877", "parentcaller": "0x7ff9a9c3c7d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 819 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4660", "caller": "0x7ff9a9c1dde1", "parentcaller": "0x7ff9a9c1dd54", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e57a000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e5a2000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551e585000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2551fe40000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000236" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 827 }, { "timestamp": "2026-06-29 12:44:52,531", "thread_id": "4664", "caller": "0x7ff6f8be1193", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 828 } ], "threads": [ "4664", "5884", "5360", "5340", "5356", "4932", "2808", "4660", "2800", "5968", "3340" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6f8be0000", "MainExeSize": "0x00009000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 3904, "process_name": "dllhost.exe", "parent_id": 756, "module_path": "C:\\Windows\\System32\\dllhost.exe", "first_seen": "2026-06-29 12:45:48,271", "calls": [ { "timestamp": "2026-06-29 12:45:48,411", "thread_id": "4108", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 12:45:48,411", "thread_id": "4108", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6f8be14e0" }, { "name": "Parameter", "value": "0x9de77ee000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 12:45:48,411", "thread_id": "3468", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2 }, { "timestamp": "2026-06-29 12:45:48,411", "thread_id": "3468", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62f10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be12f2", "parentcaller": "0x7ff6f8be13bb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b057000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be12f2", "parentcaller": "0x7ff6f8be13bb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b058000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1349", "parentcaller": "0x7ff6f8be13dc", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff6f8be1b60" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000202" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4108" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "3156", "caller": "0x7ff9aaa4ea52", "parentcaller": "0x7ff9aaa077c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 2, "id": 12 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001f4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001f0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000001f4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a603f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f0" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f4" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "InitRoutine", "value": "0x7ff9a6033f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "3156", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "3156", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62e50" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "2804", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "2804", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a62a40" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "1804", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "1804", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff986a63070" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000204" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-29 12:45:48,427", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000020c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000020c" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000020c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000020c" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x0000020c" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000210" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "[\\x9d\\xaa\\x8a^\\x12\\xa2\\xde\\xed\\xeblX\\xe4?\\x05\\x15\\xe56c\\xca[\\x95\\xe2\\xcf\\x9c\\x7f\\x87\\xee\r\\x93g\\xdft;\\x948\\xc2T\\xa2\\x96\\x9b\\x98\\xb0a\\x16\\x1eA\\xa3" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be1153", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b05a000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CLSIDFromOle1Class" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97680a0" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000228" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf7\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff0\\xf8\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000022c" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" }, { "name": "MutexName", "value": "Local\\SM0:3904:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000023c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000023c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31c8f0000" }, { "name": "SectionOffset", "value": "0x9de78ff870" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b060000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x00000240" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" }, { "name": "ValueName", "value": "Com+Enabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000240" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "clbcatq.dll" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000240" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a96a4000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9679000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9678000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" }, { "name": "EventName", "value": "\\KernelObjects\\MaximumCommitCondition" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\clbcatq" }, { "name": "BaseAddress", "value": "0x7ff9a9600000" }, { "name": "InitRoutine", "value": "0x7ff9a961d990" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001f0" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31c900000" }, { "name": "SectionOffset", "value": "0x9de78ff5c0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x0000024a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "LocalService" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "RunAs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "ActivateAtStorage" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x0000024e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024e" }, { "name": "ValueName", "value": "ROTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024e" }, { "name": "ValueName", "value": "AppIDFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024e" }, { "name": "ValueName", "value": "MGOTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024e" }, { "name": "ValueName", "value": "ProcessMitigationPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024e" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x0000024c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "ValueName", "value": "LegacyAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "ValueName", "value": "LegacyImpersonationLevel" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "RemoteServerName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "SRPTrustLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "PreferredServerBitness" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "LoadUserSettings" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf1\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xa0\\xfa\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x90`\\x9b\\xa9\\xf9\\x7f\\x00\\x00" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000024c" }, { "name": "SubKey", "value": "Software\\Classes" }, { "name": "Handle", "value": "0x00000250" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "ProtectionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024a" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b061000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b063000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000001ec" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000001ec" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000001ec" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000001ec" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b064000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x000001ec" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000001ec" }, { "name": "ValueName", "value": "RaiseActivationAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000001ec" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xef\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff@\\xf0\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x14\\xc5\\x86" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000001ee" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000001ee" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000258" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000258" }, { "name": "ValueName", "value": "RaiseDefaultAuthnLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000001ee" }, { "name": "ValueName", "value": "AccessPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AccessPermission" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ee" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000001ec" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000001ec" }, { "name": "ValueName", "value": "DefaultAccessPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000258" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\x01\\x06\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00002100" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xf5\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x01F\\xa8\\xf9\\x7f\\x00\\x00#\\x84\\xab\\xf3\\xd1\\xca\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000f40" }, { "name": "EventName", "value": "MSFT.VSA.COM.DISABLE.3904" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.IEC.STATUS.6c736db0" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b066000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b067000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x00000266" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000266" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000026a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026a" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000266" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Rpc\\Extensions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000264" }, { "name": "ValueName", "value": "NdrOleExtDLL" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "combase.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "NdrOleInitializeExtension" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a97850f0" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9747c50" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96dc030" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-06-29 12:45:48,442", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000270" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8%\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0&\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\xff\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x93\\x96\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00 \\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x18\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xe8\\xea\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x08\\xeb\\x8f\\xe7" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xe9\\x8f\\xe7\\x9d\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b069000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H'\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0'\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "x\\x01\\x06\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "(\\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x003\\xab\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x80\\xe7\\x8f\\xe7\\x9d\\x00\\x00\\x00x\\xe7\\x8f\\xe7\\x9d\\x00\\x00\\x00H\\xe7\\x8f\\xe7\\x9d\\x00\\x00\\x00h\\xe7\\x8f\\xe7" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00h\\xe5\\x8f\\xe7\\x9d\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000274" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1a31b057640" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "6064" }, { "name": "ProcessId", "value": "3904" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000274", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1a31b057640" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "6064" }, { "name": "ProcessId", "value": "3904" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000027c" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8&\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0)\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "6064", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b06b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "H\\x01\\x06\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00C\\x92\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xf0\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xe8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xb8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xd8\\xee\\x8f\\xe7" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xd8\\xec\\x8f\\xe7\\x9d\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h+\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00k\\x00e\\x00r\\x00n\\x00e\\x00l\\x00.\\x00a\\x00p\\x00p\\x00c\\x00o\\x00r\\x00e\\x00" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "6064", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0*\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "h\\xfc\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "(\\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xe3\\x96\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00P\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00H\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x18\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x008\\xeb\\x8f\\xe7" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x008\\xe9\\x8f\\xe7\\x9d\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b06c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000274" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "h+\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00k\\x00e\\x00r\\x00n\\x00e\\x00l\\x00.\\x00a\\x00p\\x00p\\x00c\\x00o\\x00r\\x00e\\x00" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0&\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\xfc\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00C\\x92\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xf0\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xe8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xb8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xd8\\xee\\x8f\\xe7" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xd8\\xec\\x8f\\xe7\\x9d\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8)\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0*\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x00\\x06\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "(\\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xe3\\x96\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00P\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00H\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x18\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x008\\xeb\\x8f\\xe7" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x008\\xe9\\x8f\\xe7\\x9d\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000027c" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8&\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0)\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "H\\x01\\x06\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00C\\x92\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xf0\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xe8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xb8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xd8\\xee\\x8f\\xe7" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xd8\\xec\\x8f\\xe7\\x9d\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8*\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10+\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x00\\x06\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "(\\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xe3\\x96\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00P\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00H\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x18\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x008\\xeb\\x8f\\xe7" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x008\\xe9\\x8f\\xe7\\x9d\\x00\\x00\\x00|\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000274" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8&\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0)\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00v\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "h\\xfc\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00C\\x92\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xf0\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xe8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xb8\\xee\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xd8\\xee\\x8f\\xe7" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x8d\\x03\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xd8\\xec\\x8f\\xe7\\x9d\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8*\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10+\\x05\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "H\\x01\\x06\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "(\\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xe3\\x96\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00P\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00H\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x18\\xeb\\x8f\\xe7\\x9d\\x00\\x00\\x008\\xeb\\x8f\\xe7" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x008\\xe9\\x8f\\xe7\\x9d\\x00\\x00\\x00t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b06d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "5524", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b06f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "5524", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "5524", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x1a31b030b50" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "5524", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000027c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "5524", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b070000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "5520", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "5520", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x1a31b030b50" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000290" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1a31b057380" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "1416" }, { "name": "ProcessId", "value": "3904" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000290", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1a31b057380" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "1416" }, { "name": "ProcessId", "value": "3904" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "1416", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "1416", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x1a31b057380" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "1416", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b072000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "1416", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "1416", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-29 12:45:48,458", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9aa782e57", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9aa782e57", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9aa782e57", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a5b50000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9aa782ebb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a5b50000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a5b57ce0" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a5b57d20", "parentcaller": "0x7ff9aa78308c", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9aaa067b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xeb/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa067ec", "parentcaller": "0x7ff9a84b15f0", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845f960", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845f984", "parentcaller": "0x7ff9a845eb81", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a8" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002a0" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845e5d4", "parentcaller": "0x7ff9a5b8e309", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845e608", "parentcaller": "0x7ff9a5b8e309", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a5b5889c", "parentcaller": "0x7ff9a5b580dc", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002ac" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a9bff351", "parentcaller": "0x7ff9a9bfd90f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002b0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a9bff42f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002b4" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa69b6e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "XR\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@H\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe8\\xfd\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "(\\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xb3\\x90\\x0b\\xfc\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x00\\xed/\\xe8\\x9d\\x00\\x00\\x00\\xf8\\xec/\\xe8\\x9d\\x00\\x00\\x00\\xc8\\xec/\\xe8\\x9d\\x00\\x00\\x00\\xe8\\xec/\\xe8" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x18\\x06\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xea/\\xe8\\x9d\\x00\\x00\\x00\\xb4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa2953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x98H\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0K\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xc8\\xfc\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8/\\x03\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xd3\\x94\\x0b\\xfc\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00`\\xe9/\\xe8\\x9d\\x00\\x00\\x00X\\xe9/\\xe8\\x9d\\x00\\x00\\x00(\\xe9/\\xe8\\x9d\\x00\\x00\\x00H\\xe9/\\xe8" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0/\\x03\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xe7/\\xe8\\x9d\\x00\\x00\\x00\\xb4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4a7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b076000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002b8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002bc" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xd8P\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "`L\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xc8\\xfc\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "xo\\x07\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xf3\\x97\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00@\\xec\\x8f\\xe7\\x9d\\x00\\x00\\x008\\xec\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x08\\xec\\x8f\\xe7\\x9d\\x00\\x00\\x00(\\xec\\x8f\\xe7" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00po\\x07\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00(\\xea\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xbc\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xf8Q\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " D\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xf8\\xfc\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18k\\x07\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x13\\x94\\xab\\xf3\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xa0\\xe8\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x98\\xe8\\x8f\\xe7\\x9d\\x00\\x00\\x00h\\xe8\\x8f\\xe7\\x9d\\x00\\x00\\x00\\x88\\xe8\\x8f\\xe7" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10k\\x07\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xe6\\x8f\\xe7\\x9d\\x00\\x00\\x00\\xbc\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a9798aa0" }, { "name": "Parameter", "value": "0x1a31b05e640" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "4772" }, { "name": "ProcessId", "value": "3904" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002bc", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff9a9798aa0" }, { "name": "Parameter", "value": "0x1a31b05e640" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4772" }, { "name": "ProcessId", "value": "3904" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" }, { "name": "Milliseconds", "value": "20000" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4772", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4772", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a9798aa0" }, { "name": "Parameter", "value": "0x1a31b05e640" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4772", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9798ab9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4772", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9798ab9", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" }, { "name": "Milliseconds", "value": "30000" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4772", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aa3e703d", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4772" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4772", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aa3e703d", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b078000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a96da750", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\x8b\\xd5\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a96da6fa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a9755d3f", "parentcaller": "0x7ff9a96d57c2", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x1a31b0322f8", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978516f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785199", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851c3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9747c50" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851ed", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785217", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785241", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96dc030" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978526b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a978507f", "parentcaller": "0x7ff9aaa338b0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b07c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002ce" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xb8\\x0f\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xce\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\xd0\\xb9\\x0f\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ce" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Class Factory for Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ce" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002d2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Apartment" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xb7\\x0f\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xce\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00`\\xb8\\x0f\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xb7\\x0f\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xce\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00`\\xb8\\x0f\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ce" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ce" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a976c0de", "parentcaller": "0x7ff9a976b5d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000002cc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a976c116", "parentcaller": "0x7ff9a976b5d4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "ValueName", "value": "MaxSxSHashCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a976c12f", "parentcaller": "0x7ff9a976b5d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a9754528", "parentcaller": "0x7ff9a9714d1b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x000002cc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a9754564", "parentcaller": "0x7ff9a9714d1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "ValueName", "value": "GipActivityBypass" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\GipActivityBypass" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a975457d", "parentcaller": "0x7ff9a9714d1b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a9bff351", "parentcaller": "0x7ff9a9bfd90f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002b4" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a9bff42f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002b0" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa69b6e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8R\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0N\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\xff\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18r\\x07\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x03\\xbb\\x0b\\xfc\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xb0\\xd7/\\xe8\\x9d\\x00\\x00\\x00\\xa8\\xd7/\\xe8\\x9d\\x00\\x00\\x00x\\xd7/\\xe8\\x9d\\x00\\x00\\x00\\x98\\xd7/\\xe8" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10r\\x07\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xd5/\\xe8\\x9d\\x00\\x00\\x00\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa2953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xd8P\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " M\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe8\\xfd\\x05\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "hl\\x07\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\xa3\\xbf\\x0b\\xfc\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\x10\\xd4/\\xe8\\x9d\\x00\\x00\\x00\\x08\\xd4/\\xe8\\x9d\\x00\\x00\\x00\\xd8\\xd3/\\xe8\\x9d\\x00\\x00\\x00\\xf8\\xd3/\\xe8" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`l\\x07\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xd1/\\xe8\\x9d\\x00\\x00\\x00\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4a7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a84646e4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31c920000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8462338", "parentcaller": "0x7ff9a84a9215", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8464b01", "parentcaller": "0x7ff9a84642d1", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 494 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a8464cf6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a8464c2a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31c940000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a8464cad", "parentcaller": "0x7ff9a8464c5d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002b2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xc5/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xb2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\xa0\\xc6/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002b2" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b2" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Class Factory for Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002b2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002b6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-29 12:45:48,474", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Apartment" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xc4/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xb2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x000\\xc5/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002b2" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xc4/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xb2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x000\\xc5/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002b2" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a972ae1c", "parentcaller": "0x7ff9a9728039", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002b2" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer32" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728085", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b2" }, { "name": "ValueName", "value": "AppID" }, { "name": "Data", "value": "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppID" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9785fb3", "parentcaller": "0x7ff9a972b4dc", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002b6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972b507", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Thumbnail Cache Out of Proc Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "LocalService" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728527", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "RunAs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728642", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "ActivateAtStorage" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728761", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a97287b5", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "ROTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728808", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "AppIDFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728858", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "MGOTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a97288ac", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "ProcessMitigationPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a97288cf", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a97276e8", "parentcaller": "0x7ff9a97288f3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728938", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000002dc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a972897a", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002dc" }, { "name": "ValueName", "value": "LegacyAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a97289cd", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" }, { "name": "ValueName", "value": "LegacyImpersonationLevel" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728a06", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728a4b", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "RemoteServerName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728af0", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "SRPTrustLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728b4f", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "PreferredServerBitness" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728bb2", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "LoadUserSettings" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9728c40", "parentcaller": "0x7ff9a972b6d5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002b6" }, { "name": "ValueName", "value": "ProtectionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a972b72a", "parentcaller": "0x7ff9a972821a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9786f8c", "parentcaller": "0x7ff9a97282f0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002b2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002b6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9786fa9", "parentcaller": "0x7ff9a97282f0", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8464d40", "parentcaller": "0x7ff9a97874a9", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8464d60", "parentcaller": "0x7ff9a97874a9", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xc3/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xb2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00p\\xc4/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002b2" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a972b02a", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002b6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a972b061", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002b6" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Elevation" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a972b0c5", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b6" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b2" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" }, { "name": "Handle", "value": "0x000002b2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a970953c", "parentcaller": "0x7ff9a970806b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002b2" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a9708090", "parentcaller": "0x7ff9a96dace7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b2" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ff9a9d30000" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9aaa57be6", "parentcaller": "0x7ff9aaa2dde7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9aaa57be6", "parentcaller": "0x7ff9aaa2dde7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\thumbcache" }, { "name": "DllBase", "value": "0x7ff992850000" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "BaseAddress", "value": "0x7ff992850000" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff992850000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "ModuleHandle", "value": "0x7ff992850000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99286acb0" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "ModuleHandle", "value": "0x7ff992850000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99287c6d0" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "ModuleHandle", "value": "0x7ff992850000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff99286c140" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-29 12:45:48,489", "thread_id": "1416", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9928b3000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9928b3000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a96cfb64", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb82", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoGetMarshalSizeMax" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9760fc0" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb9f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbbc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbd9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "Interface\\{75121952-E0D0-43E5-9380-1D80483ACF72}" }, { "name": "Handle", "value": "0x000002de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{75121952-E0D0-43E5-9380-1D80483ACF72}" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002de" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000002e2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xb5/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\xb0\\xb6/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002de" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002de" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002e2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocServer32" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8491fa9", "parentcaller": "0x7ff9a845e7b6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\propsys.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 610 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e2" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xb4/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00@\\xb5/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002de" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xb4/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00@\\xb5/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002de" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xb2/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00p\\xb3/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002de" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002de" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002e6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocServer32" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8491fa9", "parentcaller": "0x7ff9a845e7b6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\propsys.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 642 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e6" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xb1/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x00\\xb2/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002de" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xb1/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x00\\xb2/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002de" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a972ae1c", "parentcaller": "0x7ff9a9728039", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002de" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer32" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728085", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002de" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\AppID" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xb0/\\xe8\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xc5\\x86\\xf9\\x7f\\x00\\x00\\xde\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xc5\\x86\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9d\\x00\\x00\\x00@\\xb1/\\xe8\\x9d\\x00\\x00\\x00" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002de" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a972b02a", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000022e" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002e6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a972b061", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\Elevation" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a972b0c5", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e6" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000256" }, { "name": "SubKey", "value": "CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" }, { "name": "Handle", "value": "0x000002de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a970953c", "parentcaller": "0x7ff9a970806b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002de" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a9708090", "parentcaller": "0x7ff9a96dace7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002de" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-29 12:45:48,505", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\propsys" }, { "name": "DllBase", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "BaseAddress", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a2720000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\propsys.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "propsys.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a2720000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a272b820" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "propsys.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a2720000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "propsys.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a2720000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a2756440" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a9bff351", "parentcaller": "0x7ff9a9bfd90f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002f0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a9bff42f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002f4" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa69b6e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xd8G\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80D\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe8\\xe5\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x08o\\x07\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00s\\xb0\\x0b\\xfc\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00\\xc0\\xcc/\\xe8\\x9d\\x00\\x00\\x00\\xb8\\xcc/\\xe8\\x9d\\x00\\x00\\x00\\x88\\xcc/\\xe8\\x9d\\x00\\x00\\x00\\xa8\\xcc/\\xe8" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x07\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xca/\\xe8\\x9d\\x00\\x00\\x00\\xf4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa28cde", "parentcaller": "0x7ff9aaa2953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "2\\xb6\\x1a\\x00\\x00\\x00\\x00\\x00\\x8aI\n\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x88\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x96I\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56d66", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8I\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56dbb", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00L\\x07\\x1b\\xa3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56de0", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56e2e", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x18\\xe6\\x07\\x1b\\xa3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56e57", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56eaf", "parentcaller": "0x7ff9aaa28d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18k\\x07\\x1b\\xa3\\x01\\x00\\x00\\x02\\x00\\\\x00\\x03\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02I\n\\x00" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56f68", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa1\\xc8\\x86\\xf9\\x7f\\x00\\x00\\xfbR\\xa0\\x86\\xf9\\x7f\\x00\\x00\\x93\\xb4\\x0b\\xfc\\xd1\\xca\\x00\\x00\\x88\\xa1\\xc4\\x86\\xf9\\x7f\\x00\\x00 \\xc9/\\xe8\\x9d\\x00\\x00\\x00\\x18\\xc9/\\xe8\\x9d\\x00\\x00\\x00\\xe8\\xc8/\\xe8\\x9d\\x00\\x00\\x00\\x08\\xc9/\\xe8" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9aaa56f9b", "parentcaller": "0x7ff9aaa56ec8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10k\\x07\\x1b\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xa1\\x86\\xf9\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xc7/\\xe8\\x9d\\x00\\x00\\x00\\xf4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\xc0j\\xf9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xf6\\xc4\\x86" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4a7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9bff4c9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-29 12:45:48,567", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002f4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-29 12:45:48,583", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 728 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 732 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 739 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 743 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-06-29 12:45:48,599", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 750 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 754 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 761 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 765 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-06-29 12:45:48,614", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 772 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 776 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 783 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 787 }, { "timestamp": "2026-06-29 12:45:48,630", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 794 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 798 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 805 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 809 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 810 }, { "timestamp": "2026-06-29 12:45:48,646", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 816 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 819 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 820 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 827 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 831 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 832 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 834 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 835 }, { "timestamp": "2026-06-29 12:45:48,661", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 838 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 842 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 847 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 849 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 853 }, { "timestamp": "2026-06-29 12:45:48,677", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 860 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 861 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 862 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 864 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 866 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 868 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 871 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5520", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 873 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 874 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 875 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5520", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 877 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 878 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 879 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5520", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 880 }, { "timestamp": "2026-06-29 12:45:48,692", "thread_id": "5520", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 881 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 882 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 883 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 884 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 885 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 886 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 887 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 889 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 891 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 893 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 895 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 897 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 899 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 901 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-06-29 12:45:48,708", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 903 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 904 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 905 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 906 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 907 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 908 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 909 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 910 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 911 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 913 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 915 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 916 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 917 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 919 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 921 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 923 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 924 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 925 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 926 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 927 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 928 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 929 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 930 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 931 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 933 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-06-29 12:45:48,724", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 935 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 937 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 939 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 941 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 943 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 945 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 947 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 948 }, { "timestamp": "2026-06-29 12:45:48,755", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 949 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 950 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 951 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 952 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 953 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 955 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 957 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 958 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 959 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 961 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 962 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 963 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 964 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 965 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 967 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 969 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 970 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 971 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 973 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 974 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 975 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 977 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-06-29 12:45:48,771", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 979 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 981 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 983 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 985 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 987 }, { "timestamp": "2026-06-29 12:45:48,786", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 989 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 991 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 992 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 993 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 995 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 996 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 997 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 999 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-06-29 12:45:48,802", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1003 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1007 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1014 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1018 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2026-06-29 12:45:48,817", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1025 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1029 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1036 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1037 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1040 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2026-06-29 12:45:48,833", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1045 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1047 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1051 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1053 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1056 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1057 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1058 }, { "timestamp": "2026-06-29 12:45:48,849", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1061 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1062 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1063 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1065 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1068 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1069 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a97384fa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1073 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a971b8d6", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1075 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "1416", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "1416", "caller": "0x7ff9928652d4", "parentcaller": "0x7ff9a976b264", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1077 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a97672ca", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "5524", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x0003043e" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1080 }, { "timestamp": "2026-06-29 12:45:48,864", "thread_id": "4108", "caller": "0x7ff6f8be116a", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 1081 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "3904" }, { "name": "ThreadId", "value": "1416" }, { "name": "Message", "value": "1033" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff99287c71f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b4" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff992869088", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99286731b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff99286731b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\thumbcache" }, { "name": "DllBase", "value": "0x7ff992850000" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa40434", "parentcaller": "0x7ff9a9d6550f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a9d4ca48", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9d4ca0b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9d4ca0b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ff9a9d30000" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa60cd0", "parentcaller": "0x7ff9aaa20391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d30000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa60cd0", "parentcaller": "0x7ff9aaa20391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff992850000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a970b7c6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f4" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a977af45", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 1103 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a96de87e", "parentcaller": "0x7ff9a977af54", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1104 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9a84a83ba", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1416" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a92115b8", "parentcaller": "0x7ff9aaa09a1d", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f032", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f0f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "1416", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9a84a83ba", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "5524", "caller": "0x7ff9a9c3c877", "parentcaller": "0x7ff9a9c3c7d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1115 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "5524", "caller": "0x7ff9a9c1dde1", "parentcaller": "0x7ff9a9c1dd54", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b082000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b059000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b066000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b062000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31b066000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1a31c8f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1123 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022e" } ], "repeated": 0, "id": 1125 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1176", "parentcaller": "0x7ff6f8be1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2026-06-29 12:45:53,864", "thread_id": "4108", "caller": "0x7ff6f8be1193", "parentcaller": "0x7ff6f8be1466", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 1127 } ], "threads": [ "4108", "3468", "3156", "2804", "1804", "6064", "5524", "5520", "1416", "4772" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6f8be0000", "MainExeSize": "0x00009000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "cmd.exe", "pid": 3636, "parent_id": 2892, "module_path": "C:\\Windows\\System32\\cmd.exe", "children": [ { "name": "cmd.exe", "pid": 2108, "parent_id": 3636, "module_path": "C:\\Windows\\System32\\cmd.exe", "children": [ { "name": "systeminfo.exe", "pid": 4468, "parent_id": 2108, "module_path": "C:\\Windows\\System32\\systeminfo.exe", "children": [], "threads": [ "1140", "3860", "3152", "2016", "1996", "2796", "3796", "4356" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "systeminfo ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6573d0000", "MainExeSize": "0x0001f000", "Bitness": "64-bit" } }, { "name": "notepad.exe", "pid": 5432, "parent_id": 2108, "module_path": "C:\\Windows\\System32\\notepad.exe", "children": [], "threads": [ "5436", "5556", "5552", "5548", "5544", "5672", "5680", "5684", "5524", "5520" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff737dc0000", "MainExeSize": "0x0003a000", "Bitness": "64-bit" } } ], "threads": [ "4448", "2848", "3108", "4184", "3092", "5340", "5348", "5356", "5360", "5884" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff79a450000", "MainExeSize": "0x00067000", "Bitness": "64-bit" } } ], "threads": [ "3868", "4216", "3688", "4052", "2748" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff79a450000", "MainExeSize": "0x00067000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 756, "parent_id": 632, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [ { "name": "WmiPrvSE.exe", "pid": 2868, "parent_id": 756, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "children": [], "threads": [ "336", "3472", "4232", "3504", "4716", "2128", "3548" ], "environ": { "UserName": "LOCAL SERVICE", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff712fe0000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" } }, { "name": "dllhost.exe", "pid": 5760, "parent_id": 756, "module_path": "C:\\Windows\\System32\\dllhost.exe", "children": [], "threads": [ "4664", "5884", "5360", "5340", "5356", "4932", "2808", "4660", "2800", "5968", "3340" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6f8be0000", "MainExeSize": "0x00009000", "Bitness": "64-bit" } }, { "name": "dllhost.exe", "pid": 3904, "parent_id": 756, "module_path": "C:\\Windows\\System32\\dllhost.exe", "children": [], "threads": [ "4108", "3468", "3156", "2804", "1804", "6064", "5524", "5520", "1416", "4772" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6f8be0000", "MainExeSize": "0x00009000", "Bitness": "64-bit" } } ], "threads": [ "3624", "1176", "848", "844", "6012", "2648" ], "environ": { "UserName": "SYSTEM", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff69d480000", "MainExeSize": "0x00011000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 3036, "parent_id": 632, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [], "threads": [ "4924", "1400", "2064", "4228", "4708", "2192", "4704", "4364", "1724", "3676", "4132" ], "environ": { "UserName": "SYSTEM", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff69d480000", "MainExeSize": "0x00011000", "Bitness": "64-bit" } } ], "summary": { "files": [ "C:\\Users\\Rajesh\\AppData\\Local\\Temp", "C:\\Users", "C:\\Users\\Rajesh", "C:\\Users\\Rajesh\\AppData", "C:\\Users\\Rajesh\\AppData\\Local", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat", "C:\\", "C:\\Windows\\System32\\cmdext.dll", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\systeminfo.*", "C:\\Windows\\System32\\systeminfo.*", "C:\\Windows\\System32\\systeminfo.COM", "C:\\Windows\\System32\\systeminfo.EXE", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\System32\\kernel.appcore.dll", "\\Device\\CNG", "\\Device\\DeviceApi\\CMApi", "\\??\\MountPointManager", "C:\\Windows\\System32\\en-US\\mlang.dll.mui", "\\??\\PhysicalDrive0", "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-3262678163-160926255-2192883574-1002.pckgdep", "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\\S-1-5-18.pckgdep", "C:\\Windows\\SystemResources\\USER32.dll.mun", "C:\\Windows\\System32\\en-US\\USER32.dll.mui", "C:\\Windows\\System32\\rpcss.dll", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "C:\\Windows\\WindowsShell.Manifest", "C:\\Windows\\System32\\resources.pri", "C:\\Windows\\Fonts\\staticcache.dat", "C:\\Windows\\System32\\TextShaping.dll", "C:\\Windows\\System32\\uxtheme.dll.Config", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\textinputframework.dll", "C:\\Windows\\System32\\CoreUIComponents.dll", "C:\\Windows\\System32\\CoreMessaging.dll", "C:\\Windows\\System32\\ntmarta.dll", "C:\\Windows\\System32\\urlmon.dll", "C:\\Windows\\System32\\iertutil.dll", "C:\\Windows\\System32\\srvcli.dll", "C:\\Windows\\System32\\netutils.dll", "C:\\Windows\\system32", "C:\\Windows" ], "read_files": [], "write_files": [ "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM" ], "delete_files": [], "keys": [ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\Logging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "HKEY_CURRENT_USER\\Software\\Classes", "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\systeminfo.exe", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32", "HKEY_CURRENT_USER\\Software\\Classes\\MIME\\Database\\Rfc1766", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MUI\\StringCacheSettings", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\EnableObjectValidation", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged", "HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfEscapement", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOrientation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfWeight", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfItalic", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfUnderline", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfStrikeOut", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfCharSet", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOutPrecision", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfClipPrecision", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfQuality", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfPitchAndFamily", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Notepad\\DefaultFonts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfFaceName", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iPointSize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrap", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iDefaultEncoding", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\StatusBar", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fSaveWindowPositions", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWindowsOnlyEOL", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fPasteOriginalEOL", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fReverse", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrapAround", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMatchCase", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\searchString", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\replaceString", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szHeader", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szTrailer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginTop", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginBottom", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginLeft", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginRight", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosY", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosX", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDX", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDY", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMLE_is_broken", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\XAML", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault", "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\NOTEPAD.EXE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{C50898F6-C536-5F47-8583-8B2C2438A13B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{c50898f6-c536-5f47-8583-8b2c2438a13b}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{c50898f6-c536-5f47-8583-8b2c2438a13b}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\Elevation", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\NOTEPAD.EXE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\LanmanWorkstation\\Parameters\\RpcCacheTimeout", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_URI_DISABLECACHE", "HKEY_CLASSES_ROOT\\.txt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Consolas", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Start_TrackDocs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\StateSeparation\\RedirectionMap\\Keys", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AccessPermission", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\GipActivityBypass", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{75121952-E0D0-43E5-9380-1D80483ACF72}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\Elevation" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\Logging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\EnableObjectValidation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfEscapement", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOrientation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfWeight", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfItalic", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfUnderline", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfStrikeOut", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfCharSet", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOutPrecision", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfClipPrecision", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfQuality", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfPitchAndFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfFaceName", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iPointSize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrap", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iDefaultEncoding", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\StatusBar", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fSaveWindowPositions", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWindowsOnlyEOL", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fPasteOriginalEOL", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fReverse", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrapAround", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMatchCase", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\searchString", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\replaceString", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szHeader", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szTrailer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginTop", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginBottom", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginLeft", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginRight", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosY", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosX", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDX", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDY", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMLE_is_broken", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{c50898f6-c536-5f47-8583-8b2c2438a13b}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\LanmanWorkstation\\Parameters\\RpcCacheTimeout", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Start_TrackDocs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AccessPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\GipActivityBypass", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\AppID" ], "write_keys": [ "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386" ], "delete_keys": [], "executed_commands": [ "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"", "systeminfo", "information.txt", "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt ", "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe\" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca" ], "resolved_apis": [ "ntdll.dll.RtlWow64GetCurrentMachine", "ntdll.dll.RtlWow64IsWowGuestMachineSupported" ], "mutexes": [ "Local\\SM0:5432:304:WilStaging_02", "Local\\SM0:5432:120:WilError_03", "Local\\MSCTF.Asm.MutexDefault2", "CicLoadWinStaWinSta0", "Local\\MSCTF.CtfMonitorInstMutexDefault2", "Local\\SM0:5760:304:WilStaging_02", "Local\\SM0:3904:304:WilStaging_02" ], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,359", "eid": 1, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,375", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,375", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,375", "eid": 4, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,375", "eid": 5, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,375", "eid": 6, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,375", "eid": 7, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,375", "eid": 8, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,375", "eid": 9, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,437", "eid": 10, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:14,469", "eid": 11, "data": { "file": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:30,062", "eid": 12, "data": { "file": "\\Device\\ConDrv" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:30,078", "eid": 13, "data": { "file": "\\Device\\ConDrv" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:30,078", "eid": 14, "data": { "file": "mscoree.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:30,125", "eid": 15, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:30,125", "eid": 16, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:30,125", "eid": 17, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:30,125", "eid": 18, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:30,125", "eid": 19, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:30,125", "eid": 20, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:30,125", "eid": 21, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,847", "eid": 22, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,847", "eid": 23, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,847", "eid": 24, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,847", "eid": 25, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,847", "eid": 26, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,847", "eid": 27, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,847", "eid": 28, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,847", "eid": 29, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,863", "eid": 30, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-06-28 21:56:14,878", "eid": 31, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,925", "eid": 32, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,925", "eid": 33, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa3d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,925", "eid": 34, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,925", "eid": 35, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:14,925", "eid": 36, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:14,972", "eid": 37, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:15,003", "eid": 38, "data": { "file": "systeminfo " } }, { "event": "read", "object": "file", "timestamp": "2026-06-28 21:56:23,894", "eid": 39, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" } }, { "event": "read", "object": "file", "timestamp": "2026-06-28 21:56:23,894", "eid": 40, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:23,910", "eid": 41, "data": { "file": "information.txt " } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:23,910", "eid": 42, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,019", "eid": 43, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,019", "eid": 44, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,019", "eid": 45, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,019", "eid": 46, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,066", "eid": 47, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ff9a5b50000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,066", "eid": 48, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,082", "eid": 49, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,175", "eid": 50, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,300", "eid": 51, "data": { "file": "C:\\Windows\\System32\\propsys.dll", "pathtofile": null, "moduleaddress": "0x7ff9a2720000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,347", "eid": 52, "data": { "file": "C:\\Windows\\System32\\Windows.Storage.dll", "pathtofile": null, "moduleaddress": "0x7ff9a6230000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,378", "eid": 53, "data": { "file": "C:\\Windows\\System32\\windows.storage.dll", "pathtofile": null, "moduleaddress": "0x7ff9a6230000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 54, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xc4\\xd8c\\xf2\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 55, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 56, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00o\\xb6d\\x1c\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 57, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 58, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xd9T\\x98P\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x008\\x00E\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 59, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 60, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 61, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 62, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 63, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 64, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 65, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 66, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,472", "eid": 67, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 68, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 69, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 70, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 71, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 72, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 73, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 74, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 75, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 76, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 77, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 78, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 79, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "content": "nt authority\\system" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 80, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 81, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,488", "eid": 82, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,488", "eid": 83, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 84, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 85, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 86, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 87, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 88, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 89, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 90, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 91, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 92, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 93, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 94, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 95, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 96, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 97, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,503", "eid": 98, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,503", "eid": 99, "data": { "file": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", "pathtofile": null, "moduleaddress": "0x7ff9a1300000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,503", "eid": 100, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,519", "eid": 101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,519", "eid": 102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,519", "eid": 103, "data": { "file": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll", "pathtofile": null, "moduleaddress": "0x7ff9903b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,535", "eid": 104, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,535", "eid": 105, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,628", "eid": 106, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa760000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,628", "eid": 107, "data": { "file": "C:\\Windows\\System32\\urlmon.dll", "pathtofile": null, "moduleaddress": "0x7ff99f930000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,644", "eid": 108, "data": { "file": "API-MS-WIN-CORE-URL-L1-1-0.DLL", "pathtofile": null, "moduleaddress": "0x7ff9a8430000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,660", "eid": 109, "data": { "file": "C:\\Windows\\System32\\WinTypes.dll", "pathtofile": null, "moduleaddress": "0x7ff9a4dc0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,660", "eid": 110, "data": { "file": "C:\\Windows\\System32\\WinTypes.dll", "pathtofile": null, "moduleaddress": "0x7ff9a4dc0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,691", "eid": 111, "data": { "file": "C:\\Windows\\System32\\appresolver.dll", "pathtofile": null, "moduleaddress": "0x7ff9971f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,691", "eid": 112, "data": { "file": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll", "pathtofile": null, "moduleaddress": "0x7ff99d480000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 118, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 119, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 120, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 121, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 122, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 123, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 124, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 125, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 126, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 127, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,707", "eid": 128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,722", "eid": 129, "data": { "file": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", "pathtofile": null, "moduleaddress": "0x7ff99eea0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,722", "eid": 130, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:24,753", "eid": 141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags", "content": null } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:24,800", "eid": 142, "data": { "file": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,816", "eid": 143, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:24,816", "eid": 144, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:24,816", "eid": 145, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-06-28 21:56:24,816", "eid": 146, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" } }, { "event": "read", "object": "file", "timestamp": "2026-06-28 21:56:24,832", "eid": 147, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,972", "eid": 148, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,972", "eid": 149, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,972", "eid": 150, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,972", "eid": 151, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,972", "eid": 152, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,972", "eid": 153, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,972", "eid": 154, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,988", "eid": 155, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,988", "eid": 156, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,988", "eid": 157, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,988", "eid": 158, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:29,988", "eid": 159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:29,988", "eid": 160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,988", "eid": 161, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,988", "eid": 162, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,166", "eid": 163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\Logging", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,181", "eid": 164, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,181", "eid": 165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,181", "eid": 166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,197", "eid": 167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,197", "eid": 168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,197", "eid": 169, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,197", "eid": 170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:15,197", "eid": 171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:15,197", "eid": 172, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,416", "eid": 173, "data": { "file": "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9a8430000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,416", "eid": 174, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemprox.dll", "pathtofile": null, "moduleaddress": "0x7ff97fc40000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,431", "eid": 175, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,431", "eid": 176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,431", "eid": 177, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa3d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,431", "eid": 178, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,431", "eid": 179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,431", "eid": 180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,431", "eid": 181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,431", "eid": 182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,447", "eid": 183, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", "pathtofile": null, "moduleaddress": "0x7ff97fc20000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,463", "eid": 184, "data": { "file": "api-ms-win-core-localization-l1-2-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9a8430000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,463", "eid": 185, "data": { "file": "api-ms-win-core-localization-obsolete-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9a8430000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,463", "eid": 186, "data": { "file": "C:\\Windows\\System32\\wbem\\fastprox.dll", "pathtofile": null, "moduleaddress": "0x7ff99dc10000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,478", "eid": 187, "data": { "file": "amsi.dll", "pathtofile": null, "moduleaddress": "0x7ff99e360000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "content": "{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 191, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 192, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 193, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 194, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\wbem\\fastprox.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,494", "eid": 195, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 196, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 197, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 198, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 199, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 200, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 201, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\wbem\\fastprox.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 202, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 203, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\AppID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 204, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "content": "{7C857801-7381-11CF-884D-00AA004B2E24}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,509", "eid": 205, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "content": "{7C857801-7381-11CF-884D-00AA004B2E24}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,572", "eid": 206, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409", "content": "en-us;@%SystemRoot%\\system32\\mlang.dll,-4386" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,572", "eid": 207, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "34" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,572", "eid": 208, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,572", "eid": 209, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,572", "eid": 210, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,588", "eid": 211, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,588", "eid": 212, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "content": "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,588", "eid": 213, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,588", "eid": 214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,588", "eid": 215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\wbem\\fastprox.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:19,588", "eid": 216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:20,931", "eid": 217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409", "content": "en-us;@%SystemRoot%\\system32\\mlang.dll,-4386" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:20,931", "eid": 218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "content": "34" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:20,931", "eid": 219, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\22\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386", "content": "English (United States)" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:21,009", "eid": 220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\EnableObjectValidation", "content": null } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,478", "eid": 221, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,478", "eid": 222, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,478", "eid": 223, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,478", "eid": 224, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 225, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 226, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 227, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 228, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 229, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 230, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 231, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 232, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 233, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 234, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 235, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,494", "eid": 236, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 237, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 238, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 239, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 240, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 241, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 242, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 243, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 244, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 245, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 246, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 247, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,509", "eid": 248, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,525", "eid": 249, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,525", "eid": 250, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,525", "eid": 251, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,525", "eid": 252, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,525", "eid": 253, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,525", "eid": 254, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,525", "eid": 255, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,541", "eid": 256, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 257, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 258, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 259, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 260, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 261, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 262, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 263, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,556", "eid": 264, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 265, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 266, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 267, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 268, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 269, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 270, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 271, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,572", "eid": 272, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,588", "eid": 273, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,588", "eid": 274, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,588", "eid": 275, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,588", "eid": 276, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,588", "eid": 277, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 278, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 279, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 280, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 281, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 282, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 283, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 284, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 285, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 286, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 287, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,603", "eid": 288, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 289, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 290, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 291, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 292, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 293, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 294, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 295, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,619", "eid": 296, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 297, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 298, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 299, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 300, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 301, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 302, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 303, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 304, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 305, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,634", "eid": 306, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 307, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 308, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 309, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 310, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 311, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 312, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 313, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 314, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 315, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,650", "eid": 316, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 317, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 318, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 319, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 320, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 321, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 322, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 323, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 324, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 325, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,666", "eid": 326, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 327, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 328, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 329, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 330, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 331, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 332, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 333, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 334, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,681", "eid": 335, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 336, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 337, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 338, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 339, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 340, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 341, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 342, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 343, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 344, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,697", "eid": 345, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 346, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 347, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 348, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 349, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 350, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 351, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 352, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 353, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 354, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 355, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "write", "object": "file", "timestamp": "2026-06-28 21:56:23,713", "eid": 356, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:23,728", "eid": 357, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:23,728", "eid": 358, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:23,728", "eid": 359, "data": { "file": "mscoree.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:23,744", "eid": 360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM\\Logging", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:23,744", "eid": 361, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:23,744", "eid": 362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-28 21:56:23,744", "eid": 363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:23,744", "eid": 364, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:23,744", "eid": 365, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:22,616", "eid": 366, "data": { "file": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:30,210", "eid": 367, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ff9a7170000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:45,788", "eid": 368, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ff9a7170000" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:56:53,178", "eid": 369, "data": { "file": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:57:26,210", "eid": 370, "data": { "file": "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe\" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-28 21:57:54,944", "eid": 371, "data": { "file": "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:17,929", "eid": 372, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ff98ba90000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:19,445", "eid": 373, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ff98ba90000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:20,976", "eid": 374, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ff98ba90000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:22,742", "eid": 375, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ff98ba90000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,164", "eid": 376, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ff98ba90000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-28 21:56:29,742", "eid": 377, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ff98ba90000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:16,026", "eid": 378, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa3d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:16,057", "eid": 379, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemprox.dll", "pathtofile": null, "moduleaddress": "0x7ff97fc40000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:16,057", "eid": 380, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", "pathtofile": null, "moduleaddress": "0x7ff97fc20000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:16,072", "eid": 381, "data": { "file": "C:\\Windows\\System32\\wbem\\fastprox.dll", "pathtofile": null, "moduleaddress": "0x7ff99dc10000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:16,088", "eid": 382, "data": { "file": "C:\\Windows\\System32\\wbem\\wmiutils.dll", "pathtofile": null, "moduleaddress": "0x7ff99e310000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:16,119", "eid": 383, "data": { "file": "API-MS-Win-Security-Base-L1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9a8430000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:16,119", "eid": 384, "data": { "file": "C:\\Windows\\System32\\wbem\\stdprov.dll", "pathtofile": null, "moduleaddress": "0x7ff99e3d0000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,312", "eid": 385, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,312", "eid": 386, "data": { "file": "LPK", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,312", "eid": 387, "data": { "file": "GDI32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,327", "eid": 388, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,327", "eid": 389, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,327", "eid": 390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,327", "eid": 391, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,327", "eid": 392, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,327", "eid": 393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,327", "eid": 394, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,343", "eid": 395, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ff9a5b50000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,343", "eid": 396, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 397, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,343", "eid": 398, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\DllPath", "content": "C:\\Windows\\System32\\MrmCoreR.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 404, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Resources.Core.ResourceManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,343", "eid": 411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,359", "eid": 412, "data": { "file": "C:\\Windows\\System32\\MrmCoreR.dll", "pathtofile": null, "moduleaddress": "0x7ff9a06e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,359", "eid": 413, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,359", "eid": 414, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,359", "eid": 415, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 417, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 418, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfEscapement", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 419, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOrientation", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 420, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfWeight", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 421, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfItalic", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 422, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfUnderline", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 423, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfStrikeOut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 424, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfCharSet", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 425, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfOutPrecision", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 426, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfClipPrecision", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 427, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfQuality", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 428, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfPitchAndFamily", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName", "content": "Consolas" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize", "content": "110" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 431, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\lfFaceName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 432, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iPointSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 433, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrap", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 434, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iDefaultEncoding", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 435, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\StatusBar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 436, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fSaveWindowPositions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 437, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWindowsOnlyEOL", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 438, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fPasteOriginalEOL", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 439, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fReverse", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 440, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fWrapAround", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 441, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMatchCase", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 442, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\searchString", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 443, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\replaceString", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 444, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szHeader", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 445, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\szTrailer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 446, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginTop", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 447, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginBottom", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 448, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginLeft", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 449, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iMarginRight", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 450, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosY", "content": "182" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,359", "eid": 451, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosX", "content": "182" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,374", "eid": 452, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDX", "content": "1080" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,374", "eid": 453, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\iWindowPosDY", "content": "624" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,374", "eid": 454, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Notepad\\fMLE_is_broken", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,374", "eid": 455, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa3d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,390", "eid": 456, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,390", "eid": 457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,406", "eid": 458, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,406", "eid": 459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "content": "C:\\Windows\\Fonts\\staticcache.dat" } }, { "event": "read", "object": "file", "timestamp": "2026-06-29 12:44:18,421", "eid": 460, "data": { "file": "C:\\Windows\\Fonts\\StaticCache.dat" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,421", "eid": 461, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,421", "eid": 462, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "content": "SimSun-ExtB" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,421", "eid": 463, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,421", "eid": 464, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,421", "eid": 465, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 466, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 467, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 468, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 469, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 470, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 471, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 472, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 473, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 474, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 475, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 476, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 477, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 478, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 479, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\DllPath", "content": "%SystemRoot%\\system32\\windows.storage.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 480, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 481, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 482, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 483, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 484, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 485, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 486, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 487, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManager\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,437", "eid": 488, "data": { "file": "C:\\Windows\\System32\\windows.storage.dll", "pathtofile": null, "moduleaddress": "0x7ff9a6230000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,437", "eid": 489, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 490, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 491, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 492, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\DllPath", "content": "C:\\Windows\\System32\\efswrt.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 493, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 494, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 496, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 497, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 498, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 499, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,437", "eid": 500, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,452", "eid": 501, "data": { "file": "C:\\Windows\\System32\\efswrt.dll", "pathtofile": null, "moduleaddress": "0x7ff987d80000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,452", "eid": 502, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 503, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 504, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 505, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath", "content": "C:\\Windows\\System32\\twinapi.appcore.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 506, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 507, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 509, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 510, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 511, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 512, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,452", "eid": 513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,452", "eid": 514, "data": { "file": "C:\\Windows\\System32\\twinapi.appcore.dll", "pathtofile": null, "moduleaddress": "0x7ff9a10f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,452", "eid": 515, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,452", "eid": 516, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 517, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 518, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 519, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 521, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 522, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,468", "eid": 528, "data": { "file": "C:\\Windows\\System32\\WinTypes.dll", "pathtofile": null, "moduleaddress": "0x7ff9a4dc0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,468", "eid": 529, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,468", "eid": 531, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,468", "eid": 537, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,468", "eid": 538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,468", "eid": 539, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{c50898f6-c536-5f47-8583-8b2c2438a13b}\\ProxyStubClsid32\\(Default)", "content": "{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": "Ptype_PSFactory" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": "Ptype_PSFactory" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,484", "eid": 552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,499", "eid": 553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,499", "eid": 554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,499", "eid": 555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,499", "eid": 556, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,499", "eid": 557, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,499", "eid": 558, "data": { "file": "user32", "pathtofile": null, "moduleaddress": "0x7ff9aa760000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,499", "eid": 559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,515", "eid": 560, "data": { "file": "comctl32", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,515", "eid": 561, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,531", "eid": 562, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,531", "eid": 563, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,562", "eid": 564, "data": { "file": "C:\\Windows\\System32\\oleacc.dll", "pathtofile": null, "moduleaddress": "0x7ff992900000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,562", "eid": 565, "data": { "file": "OLEAUT32.DLL", "pathtofile": null, "moduleaddress": "0x7ff9a9530000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,562", "eid": 566, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,562", "eid": 567, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,593", "eid": 568, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,593", "eid": 569, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,593", "eid": 570, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,656", "eid": 571, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,656", "eid": 572, "data": { "file": "USER32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,702", "eid": 573, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 574, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\LanmanWorkstation\\Parameters\\RpcCacheTimeout", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,702", "eid": 575, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,702", "eid": 576, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,702", "eid": 577, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa760000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,702", "eid": 578, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 579, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 580, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 581, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 582, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 583, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 584, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 585, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 586, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 587, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 588, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 589, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 590, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 591, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 592, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 593, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 594, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 595, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 596, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 597, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 598, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 599, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,702", "eid": 600, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,718", "eid": 601, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,718", "eid": 602, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,718", "eid": 603, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type", "content": "text/plain" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,734", "eid": 604, "data": { "file": "C:\\Windows\\System32\\propsys.dll", "pathtofile": null, "moduleaddress": "0x7ff9a2720000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:18,796", "eid": 605, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Start_TrackDocs", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,796", "eid": 606, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,796", "eid": 607, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,796", "eid": 608, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,796", "eid": 609, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:18,796", "eid": 610, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,437", "eid": 611, "data": { "file": "C:\\Windows\\System32\\msctf.dll", "pathtofile": null, "moduleaddress": "0x7ff9a9a10000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 612, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 613, "data": { "file": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 614, "data": { "file": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa760000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 615, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 616, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 617, "data": { "file": "ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa760000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 618, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 619, "data": { "file": "api-ms-win-core-com-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ff9a96b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,452", "eid": 620, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,468", "eid": 621, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:23,468", "eid": 622, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:23,468", "eid": 623, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:23,468", "eid": 624, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:23,468", "eid": 625, "data": { "file": "iertutil.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-06-29 12:44:24,593", "eid": 626, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:01,437", "eid": 627, "data": { "regkey": "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:01,437", "eid": 628, "data": { "regkey": "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:01,437", "eid": 629, "data": { "regkey": "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:01,437", "eid": 630, "data": { "file": "C:\\Windows\\System32\\ole32.dll", "pathtofile": null, "moduleaddress": "0x7ff9a92a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:01,437", "eid": 631, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,327", "eid": 632, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,343", "eid": 633, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,343", "eid": 634, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,343", "eid": 635, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,343", "eid": 636, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,343", "eid": 637, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,343", "eid": 638, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 639, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 640, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 641, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 642, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 643, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 644, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 645, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 646, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 647, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 648, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 649, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 650, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 651, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 652, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 653, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 654, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 655, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,359", "eid": 656, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 657, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 658, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 659, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 660, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 661, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 662, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 663, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 664, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AccessPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 665, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,374", "eid": 666, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 667, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,374", "eid": 668, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "content": "combase.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,374", "eid": 669, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,374", "eid": 670, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,390", "eid": 671, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,406", "eid": 672, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ff9a5b50000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,406", "eid": 673, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 674, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 675, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 676, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 677, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Class Factory for Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 678, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 679, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 680, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": "C:\\Windows\\System32\\thumbcache.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 681, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel", "content": "Apartment" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 682, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 683, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\GipActivityBypass", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 684, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 685, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 686, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Class Factory for Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 687, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 688, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 689, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": "C:\\Windows\\System32\\thumbcache.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 690, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel", "content": "Apartment" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,406", "eid": 691, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppID", "content": "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 692, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 693, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 694, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 695, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 696, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 697, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 698, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 699, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 700, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 701, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 702, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 703, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 704, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 705, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 706, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 707, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 708, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 709, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 710, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,421", "eid": 711, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,437", "eid": 712, "data": { "file": "C:\\Windows\\System32\\thumbcache.dll", "pathtofile": null, "moduleaddress": "0x7ff992850000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,437", "eid": 713, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,452", "eid": 714, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 715, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32\\(Default)", "content": "{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 717, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 718, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 719, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 720, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\propsys.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 723, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 724, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 725, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 726, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 727, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 728, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\propsys.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 729, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:44:47,452", "eid": 730, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,452", "eid": 731, "data": { "file": "C:\\Windows\\System32\\propsys.dll", "pathtofile": null, "moduleaddress": "0x7ff9a2720000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:47,452", "eid": 732, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:52,531", "eid": 733, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:52,531", "eid": 734, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:52,531", "eid": 735, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:44:52,531", "eid": 736, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,427", "eid": 737, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 738, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 739, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 740, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 741, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,442", "eid": 742, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 743, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 744, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 745, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 746, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 747, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 748, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 749, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 750, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 751, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 752, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 753, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 754, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 755, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 756, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 757, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 758, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 759, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 760, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 761, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 762, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 763, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 764, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 765, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 766, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 767, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 768, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 769, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AccessPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 770, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,442", "eid": 771, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 772, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,442", "eid": 773, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "content": "combase.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,442", "eid": 774, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,458", "eid": 775, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,458", "eid": 776, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,474", "eid": 777, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ff9a5b50000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,474", "eid": 778, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 779, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 780, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 781, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 782, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Class Factory for Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 783, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 784, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 785, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": "C:\\Windows\\System32\\thumbcache.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 786, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel", "content": "Apartment" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 787, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 788, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\GipActivityBypass", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 789, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 790, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 791, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Class Factory for Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 792, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,474", "eid": 793, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 794, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\(Default)", "content": "C:\\Windows\\System32\\thumbcache.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 795, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\\ThreadingModel", "content": "Apartment" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 796, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppID", "content": "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 797, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 798, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\(Default)", "content": "Thumbnail Cache Out of Proc Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 799, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalService", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 800, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 801, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\DllSurrogate", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 802, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RunAs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 803, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ActivateAtStorage", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 804, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ROTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 805, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AppIDFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 806, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\MGOTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 807, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProcessMitigationPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 808, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LaunchPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 809, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 810, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 811, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 812, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\RemoteServerName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 813, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\SRPTrustLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 814, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\PreferredServerBitness", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 815, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LoadUserSettings", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,489", "eid": 816, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\ProtectionLevel", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,489", "eid": 817, "data": { "file": "C:\\Windows\\System32\\thumbcache.dll", "pathtofile": null, "moduleaddress": "0x7ff992850000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,489", "eid": 818, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,505", "eid": 819, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 820, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{75121952-e0d0-43e5-9380-1d80483acf72}\\ProxyStubClsid32\\(Default)", "content": "{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 821, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 822, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 823, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 824, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 825, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 826, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\propsys.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 827, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 828, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 829, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 830, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 831, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 832, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 833, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\propsys.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 834, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 12:45:48,505", "eid": 835, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,567", "eid": 836, "data": { "file": "C:\\Windows\\System32\\propsys.dll", "pathtofile": null, "moduleaddress": "0x7ff9a2720000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:48,567", "eid": 837, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:53,864", "eid": 838, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:53,864", "eid": 839, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:53,864", "eid": 840, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 12:45:53,864", "eid": 841, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [], "com_activations": [] } }, "debug": { "log": "2026-06-28 14:55:57,985 [root] INFO: Date set to: 20260629T12:43:48, timeout set to: 200\n2026-06-29 12:43:49,624 [root] DEBUG: Starting analyzer from: C:\\2_6me6uj\n2026-06-29 12:43:49,625 [root] DEBUG: Storing results at: C:\\ngIpjVKr\n2026-06-29 12:43:49,627 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\CWnexHVb\n2026-06-29 12:43:49,632 [root] DEBUG: Python path: C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\n2026-06-29 12:43:49,637 [root] INFO: analysis running as an admin\n2026-06-29 12:43:49,640 [root] DEBUG: no analysis package configured, picking one for you\n2026-06-29 12:43:49,663 [root] INFO: analysis package selected: \"batch\"\n2026-06-29 12:43:49,669 [root] DEBUG: importing analysis package module: \"modules.packages.batch\"...\n2026-06-29 12:43:50,274 [root] DEBUG: imported analysis package \"batch\"\n2026-06-29 12:43:50,275 [root] DEBUG: initializing analysis package \"batch\"...\n2026-06-29 12:43:50,276 [lib.common.common] INFO: no wrapping\n2026-06-29 12:43:50,276 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-29 12:43:50,283 [root] DEBUG: New location of moved file: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\n2026-06-29 12:43:50,283 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll option\n2026-06-29 12:43:50,284 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll_64 option\n2026-06-29 12:43:50,284 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option\n2026-06-29 12:43:50,286 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option\n2026-06-28 14:56:02,044 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-06-28 14:56:02,063 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-06-28 14:56:02,110 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-06-28 14:56:02,278 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-06-28 14:56:02,289 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-06-28 14:56:02,290 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-06-28 14:56:02,290 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-06-28 14:56:02,295 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-06-28 14:56:02,296 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-06-28 14:56:02,296 [root] DEBUG: attempting to configure 'Browser' from data\n2026-06-28 14:56:02,298 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-06-28 14:56:02,298 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-06-28 14:56:02,308 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-06-28 14:56:02,308 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-06-28 14:56:02,308 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-06-28 14:56:02,309 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-06-28 14:56:02,309 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-06-28 14:56:02,309 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-06-28 14:56:02,939 [modules.auxiliary.digisig] DEBUG: File has an invalid signature\n2026-06-28 14:56:02,940 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-06-28 14:56:02,943 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-06-28 14:56:02,943 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-06-28 14:56:02,944 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-06-28 14:56:02,945 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-06-28 14:56:02,945 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-06-28 14:56:02,949 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 4688)\n2026-06-28 14:56:02,959 [modules.auxiliary.disguise] INFO: Disguising GUID to 783034a4-7eca-4edd-ac9e-1e8027d53a55\n2026-06-28 14:56:02,959 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-06-28 14:56:02,960 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-06-28 14:56:02,960 [root] DEBUG: attempting to configure 'Human' from data\n2026-06-28 14:56:02,960 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-06-28 14:56:02,961 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-06-28 14:56:02,961 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-06-28 14:56:02,962 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-06-28 14:56:02,962 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-06-28 14:56:02,963 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-06-28 14:56:02,964 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-06-28 14:56:02,969 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-06-28 14:56:02,969 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-06-28 14:56:02,969 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-06-28 14:56:02,970 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-06-28 14:56:02,970 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-06-28 14:56:02,971 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-06-28 14:56:02,973 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-06-28 14:56:02,974 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-06-28 14:56:09,002 [root] INFO: Restarting WMI Service\n2026-06-28 14:56:11,286 [root] DEBUG: package modules.packages.batch does not support configure, ignoring\n2026-06-28 14:56:11,289 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages'\n2026-06-28 14:56:11,291 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-28 14:56:11,300 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\system32\\cmd.exe\" with arguments \"/c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"\" with pid 3636\n2026-06-28 14:56:11,777 [lib.api.process] INFO: Monitor config for process 3636: C:\\2_6me6uj\\dll\\3636.ini\n2026-06-28 14:56:11,801 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-28 14:56:11,829 [root] DEBUG: Loader: Injecting process 3636 (thread 3868) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:11,833 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:11,835 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:11,839 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:13,860 [lib.api.process] INFO: Successfully resumed process with pid 3636\n2026-06-28 14:56:14,096 [root] DEBUG: 3636: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:14,097 [root] DEBUG: 3636: Disabling sleep skipping.\n2026-06-28 14:56:14,098 [root] DEBUG: 3636: Dropped file limit defaulting to 100.\n2026-06-28 14:56:14,132 [root] DEBUG: 3636: YaraInit: Compiled 44 rule files\n2026-06-28 14:56:14,135 [root] DEBUG: 3636: YaraInit: Compiled rules saved to file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-28 14:56:14,200 [root] DEBUG: 3636: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-28 14:56:14,201 [root] DEBUG: 3636: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a\n2026-06-28 14:56:14,206 [root] DEBUG: 3636: YaraScan hit: FindFixAndRun\n2026-06-28 14:56:14,207 [root] DEBUG: 3636: Monitor initialised: 64-bit capemon loaded in process 3636 at 0x00007FF986960000, thread 3868, image base 0x00007FF79A450000, stack from 0x000000A0D6604000-0x000000A0D6700000\n2026-06-28 14:56:14,208 [root] DEBUG: 3636: Commandline: \"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"\n2026-06-28 14:56:14,228 [root] DEBUG: 3636: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-28 14:56:14,289 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-28 14:56:14,290 [root] DEBUG: 3636: set_hooks: Unable to hook LockResource\n2026-06-28 14:56:14,307 [root] DEBUG: 3636: Hooked 630 out of 631 functions\n2026-06-28 14:56:14,314 [root] DEBUG: 3636: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF79A45C620\n2026-06-28 14:56:14,317 [root] DEBUG: 3636: Syscall hook installed, syscall logging level 1\n2026-06-28 14:56:14,345 [root] DEBUG: 3636: RestoreHeaders: Restored original import table.\n2026-06-28 14:56:14,346 [root] INFO: Loaded monitor into process with pid 3636\n2026-06-28 14:56:14,348 [root] DEBUG: 3636: caller_dispatch: Added region at 0x00007FF79A450000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF79A4693C1, thread 3868).\n2026-06-28 14:56:14,350 [root] DEBUG: 3636: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a\n2026-06-28 14:56:14,360 [root] DEBUG: 3636: ProcessImageBase: Main module image at 0x00007FF79A450000 unmodified (entropy change 0.000000e+00)\n2026-06-28 14:56:14,386 [root] DEBUG: 3636: DLL loaded at 0x00007FF9A7A90000: C:\\Windows\\system32\\Wldp (0x2c000 bytes).\n2026-06-28 14:56:14,391 [root] DEBUG: 3636: DLL loaded at 0x00007FF9A6230000: C:\\Windows\\SYSTEM32\\windows.storage (0x790000 bytes).\n2026-06-28 14:56:14,396 [root] DEBUG: 3636: DLL loaded at 0x00007FF9A9D30000: C:\\Windows\\System32\\SHCORE (0xad000 bytes).\n2026-06-28 14:56:14,400 [root] DEBUG: 3636: CreateProcessHandler: Injection info set for new process 2108: C:\\Windows\\system32\\cmd.exe, ImageBase: 0x00007FF79A450000\n2026-06-28 14:56:14,401 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2108\n2026-06-28 14:56:14,402 [lib.api.process] INFO: Monitor config for process 2108: C:\\2_6me6uj\\dll\\2108.ini\n2026-06-28 14:56:14,408 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-28 14:56:14,426 [root] DEBUG: Loader: Injecting process 2108 (thread 4448) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:14,428 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:14,429 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:14,432 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:14,436 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2108\n2026-06-28 14:56:14,436 [lib.api.process] INFO: Monitor config for process 2108: C:\\2_6me6uj\\dll\\2108.ini\n2026-06-28 14:56:14,441 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-28 14:56:14,452 [root] DEBUG: Loader: Injecting process 2108 (thread 4448) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:14,453 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:14,455 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:14,459 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:14,626 [root] DEBUG: 2108: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:14,628 [root] DEBUG: 2108: Dropped file limit defaulting to 100.\n2026-06-28 14:56:14,632 [root] DEBUG: 2108: Disabling sleep skipping.\n2026-06-28 14:56:14,635 [root] DEBUG: 2108: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-28 14:56:14,665 [root] DEBUG: 2108: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-28 14:56:14,666 [root] DEBUG: 2108: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a\n2026-06-28 14:56:14,671 [root] DEBUG: 2108: YaraScan hit: FindFixAndRun\n2026-06-28 14:56:14,672 [root] DEBUG: 2108: Monitor initialised: 64-bit capemon loaded in process 2108 at 0x00007FF986960000, thread 4448, image base 0x00007FF79A450000, stack from 0x000000AE2B404000-0x000000AE2B500000\n2026-06-28 14:56:14,673 [root] DEBUG: 2108: Commandline: C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"\n2026-06-28 14:56:14,690 [root] DEBUG: 2108: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-28 14:56:14,743 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-28 14:56:14,746 [root] DEBUG: 2108: set_hooks: Unable to hook LockResource\n2026-06-28 14:56:14,761 [root] DEBUG: 2108: Hooked 630 out of 631 functions\n2026-06-28 14:56:14,824 [root] DEBUG: 2108: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF79A45C620\n2026-06-28 14:56:14,825 [root] DEBUG: 2108: Syscall hook installed, syscall logging level 1\n2026-06-28 14:56:14,834 [root] DEBUG: 2108: RestoreHeaders: Restored original import table.\n2026-06-28 14:56:14,835 [root] INFO: Loaded monitor into process with pid 2108\n2026-06-28 14:56:14,837 [root] DEBUG: 2108: caller_dispatch: Added region at 0x00007FF79A450000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF79A4693C1, thread 4448).\n2026-06-28 14:56:14,839 [root] DEBUG: 2108: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a\n2026-06-28 14:56:14,851 [root] DEBUG: 2108: ProcessImageBase: Main module image at 0x00007FF79A450000 unmodified (entropy change 0.000000e+00)\n2026-06-28 14:56:14,882 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A4220000: C:\\Windows\\SYSTEM32\\cmdext (0xc000 bytes).\n2026-06-28 14:56:14,942 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A7A90000: C:\\Windows\\system32\\Wldp (0x2c000 bytes).\n2026-06-28 14:56:14,947 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6230000: C:\\Windows\\SYSTEM32\\windows.storage (0x790000 bytes).\n2026-06-28 14:56:14,951 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A9D30000: C:\\Windows\\System32\\SHCORE (0xad000 bytes).\n2026-06-28 14:56:14,954 [root] DEBUG: 2108: CreateProcessHandler: Injection info set for new process 4468: C:\\Windows\\system32\\systeminfo.exe, ImageBase: 0x00007FF6573D0000\n2026-06-28 14:56:14,955 [root] INFO: Announced 64-bit process name: systeminfo.exe pid: 4468\n2026-06-28 14:56:14,956 [lib.api.process] INFO: Monitor config for process 4468: C:\\2_6me6uj\\dll\\4468.ini\n2026-06-28 14:56:14,960 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-28 14:56:14,975 [root] DEBUG: Loader: Injecting process 4468 (thread 1140) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:14,976 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:14,977 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:14,982 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:14,984 [root] INFO: Announced 64-bit process name: systeminfo.exe pid: 4468\n2026-06-28 14:56:14,985 [lib.api.process] INFO: Monitor config for process 4468: C:\\2_6me6uj\\dll\\4468.ini\n2026-06-28 14:56:14,987 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-28 14:56:14,998 [root] DEBUG: Loader: Injecting process 4468 (thread 1140) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:15,000 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-28 14:56:15,001 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:15,005 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:15,025 [root] DEBUG: 4468: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:15,026 [root] DEBUG: 4468: Dropped file limit defaulting to 100.\n2026-06-28 14:56:15,031 [root] DEBUG: 4468: Disabling sleep skipping.\n2026-06-28 14:56:15,037 [root] DEBUG: 4468: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-28 14:56:15,060 [root] DEBUG: 4468: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-28 14:56:15,061 [root] DEBUG: 4468: YaraScan: Scanning 0x00007FF6573D0000, size 0x1e030\n2026-06-28 14:56:15,065 [root] DEBUG: 4468: Monitor initialised: 64-bit capemon loaded in process 4468 at 0x00007FF986960000, thread 1140, image base 0x00007FF6573D0000, stack from 0x0000003381ED4000-0x0000003381EE0000\n2026-06-28 14:56:15,066 [root] DEBUG: 4468: Commandline: systeminfo\n2026-06-28 14:56:15,085 [root] DEBUG: 4468: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-28 14:56:15,141 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-28 14:56:15,143 [root] DEBUG: 4468: set_hooks: Unable to hook LockResource\n2026-06-28 14:56:15,156 [root] DEBUG: 4468: Hooked 630 out of 631 functions\n2026-06-28 14:56:15,160 [root] DEBUG: 4468: Syscall hook installed, syscall logging level 1\n2026-06-28 14:56:15,170 [root] DEBUG: 4468: RestoreHeaders: Restored original import table.\n2026-06-28 14:56:15,171 [root] INFO: Loaded monitor into process with pid 4468\n2026-06-28 14:56:15,177 [root] DEBUG: 4468: caller_dispatch: Added region at 0x00007FF6573D0000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6573E1EA1, thread 1140).\n2026-06-28 14:56:15,181 [root] DEBUG: 4468: YaraScan: Scanning 0x00007FF6573D0000, size 0x1e030\n2026-06-28 14:56:15,185 [root] DEBUG: 4468: ProcessImageBase: Main module image at 0x00007FF6573D0000 unmodified (entropy change 0.000000e+00)\n2026-06-28 14:56:15,191 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-28 14:56:15,192 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-28 14:56:15,204 [lib.api.process] INFO: Monitor config for process 756: C:\\2_6me6uj\\dll\\756.ini\n2026-06-28 14:56:15,207 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-28 14:56:15,225 [root] DEBUG: Loader: Injecting process 756 with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:15,231 [root] DEBUG: 756: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:15,232 [root] DEBUG: 756: Disabling sleep skipping.\n2026-06-28 14:56:15,232 [root] DEBUG: 756: Dropped file limit defaulting to 100.\n2026-06-28 14:56:15,236 [root] DEBUG: 756: Services hook set enabled\n2026-06-28 14:56:15,243 [root] DEBUG: 756: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-28 14:56:15,263 [root] DEBUG: 756: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-28 14:56:15,264 [root] DEBUG: 756: Monitor initialised: 64-bit capemon loaded in process 756 at 0x00007FF986960000, thread 5016, image base 0x00007FF69D480000, stack from 0x00000036AC3F4000-0x00000036AC400000\n2026-06-28 14:56:15,266 [root] DEBUG: 756: Commandline: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n2026-06-28 14:56:15,286 [root] DEBUG: 756: Hooked 69 out of 69 functions\n2026-06-28 14:56:15,288 [root] INFO: Loaded monitor into process with pid 756\n2026-06-28 14:56:15,289 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-06-28 14:56:15,290 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:15,293 [lib.api.process] INFO: Injected into 64-bit \n2026-06-28 14:56:17,306 [lib.api.process] INFO: Monitor config for process 3036: C:\\2_6me6uj\\dll\\3036.ini\n2026-06-28 14:56:17,311 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-28 14:56:17,326 [root] DEBUG: Loader: Injecting process 3036 with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:17,332 [root] DEBUG: 3036: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-28 14:56:17,334 [root] DEBUG: 3036: Disabling sleep skipping.\n2026-06-28 14:56:17,335 [root] DEBUG: 3036: Dropped file limit defaulting to 100.\n2026-06-28 14:56:17,337 [root] DEBUG: 3036: Services hook set enabled\n2026-06-28 14:56:17,341 [root] DEBUG: 3036: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-28 14:56:17,365 [root] DEBUG: 3036: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-28 14:56:17,366 [root] DEBUG: 3036: Monitor initialised: 64-bit capemon loaded in process 3036 at 0x00007FF986960000, thread 3952, image base 0x00007FF69D480000, stack from 0x000000A3D10F5000-0x000000A3D1100000\n2026-06-28 14:56:17,370 [root] DEBUG: 3036: Commandline: C:\\Windows\\system32\\svchost.exe -k netsvcs -p\n2026-06-28 14:56:17,392 [root] DEBUG: 3036: Hooked 69 out of 69 functions\n2026-06-28 14:56:17,395 [root] INFO: Loaded monitor into process with pid 3036\n2026-06-28 14:56:17,398 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-06-28 14:56:17,404 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-28 14:56:17,408 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:44:12,738 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-29 05:44:12,746 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A0F30000: C:\\Windows\\SYSTEM32\\wbemcomn (0x92000 bytes).\n2026-06-29 05:44:12,747 [root] DEBUG: 4468: DLL loaded at 0x00007FF97FC40000: C:\\Windows\\system32\\wbem\\wbemprox (0x11000 bytes).\n2026-06-29 05:44:12,750 [root] DEBUG: 4468: Successfully installed hook on COM Object function WbemLocator_ConnectServer\n2026-06-29 05:44:12,779 [root] DEBUG: 4468: DLL loaded at 0x00007FF97FC20000: C:\\Windows\\system32\\wbem\\wbemsvc (0x14000 bytes).\n2026-06-29 05:44:12,793 [root] DEBUG: 4468: DLL loaded at 0x00007FF99DC10000: C:\\Windows\\system32\\wbem\\fastprox (0x10b000 bytes).\n2026-06-29 05:44:12,803 [root] DEBUG: 4468: DLL loaded at 0x00007FF99E360000: C:\\Windows\\SYSTEM32\\amsi (0x19000 bytes).\n2026-06-29 05:44:12,809 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecQuery\n2026-06-29 05:44:12,810 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecQueryAsync\n2026-06-29 05:44:12,812 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_CreateInstanceEnum\n2026-06-29 05:44:12,815 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_CreateInstanceEnumAsync\n2026-06-29 05:44:12,817 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_GetObjectW\n2026-06-29 05:44:12,818 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_GetObjectAsync\n2026-06-29 05:44:12,819 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecMethod\n2026-06-29 05:44:12,821 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecMethodAsync\n2026-06-29 05:44:14,360 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 2868: C:\\Windows\\system32\\wbem\\wmiprvse.exe, ImageBase: 0x00007FF712FE0000\n2026-06-29 05:44:14,361 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2868\n2026-06-29 05:44:14,362 [lib.api.process] INFO: Monitor config for process 2868: C:\\2_6me6uj\\dll\\2868.ini\n2026-06-29 05:44:15,644 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:44:15,661 [root] DEBUG: Loader: Injecting process 2868 (thread 3472) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:15,663 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:44:15,664 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:15,666 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:44:15,668 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2868\n2026-06-29 05:44:15,669 [lib.api.process] INFO: Monitor config for process 2868: C:\\2_6me6uj\\dll\\2868.ini\n2026-06-29 05:44:15,930 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:44:15,941 [root] DEBUG: Loader: Injecting process 2868 (thread 3472) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:15,942 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2026-06-29 05:44:15,943 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:15,946 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:44:15,962 [root] DEBUG: 2868: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 05:44:15,963 [root] DEBUG: 2868: Dropped file limit defaulting to 100.\n2026-06-29 05:44:15,968 [root] DEBUG: 2868: Disabling sleep skipping.\n2026-06-29 05:44:15,969 [root] DEBUG: 2868: Services hook set enabled\n2026-06-29 05:44:15,975 [root] DEBUG: 2868: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 05:44:15,996 [root] DEBUG: 2868: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-29 05:44:15,997 [root] DEBUG: 2868: Monitor initialised: 64-bit capemon loaded in process 2868 at 0x00007FF986960000, thread 3472, image base 0x00007FF712FE0000, stack from 0x0000001D40890000-0x0000001D408A0000\n2026-06-29 05:44:15,998 [root] DEBUG: 2868: Commandline: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\n2026-06-29 05:44:16,021 [root] DEBUG: 2868: Hooked 69 out of 69 functions\n2026-06-29 05:44:16,031 [root] DEBUG: 2868: RestoreHeaders: Restored original import table.\n2026-06-29 05:44:16,032 [root] INFO: Loaded monitor into process with pid 2868\n2026-06-29 05:44:16,041 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-29 05:44:16,045 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-29 05:44:16,050 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-29 05:44:16,055 [root] DEBUG: 2868: DLL loaded at 0x00007FF97FC40000: C:\\Windows\\system32\\wbem\\wbemprox (0x11000 bytes).\n2026-06-29 05:44:16,063 [root] DEBUG: 2868: DLL loaded at 0x00007FF97FC20000: C:\\Windows\\system32\\wbem\\wbemsvc (0x14000 bytes).\n2026-06-29 05:44:16,084 [root] DEBUG: 2868: DLL loaded at 0x00007FF99E310000: C:\\Windows\\system32\\wbem\\wmiutils (0x28000 bytes).\n2026-06-29 05:44:16,110 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A7F80000: C:\\Windows\\SYSTEM32\\USERENV (0x2e000 bytes).\n2026-06-29 05:44:16,111 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A6E00000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2026-06-29 05:44:16,112 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A0DA0000: C:\\Windows\\system32\\wbem\\esscli (0x7d000 bytes).\n2026-06-29 05:44:16,113 [root] DEBUG: 2868: DLL loaded at 0x00007FF99E3D0000: C:\\Windows\\system32\\wbem\\stdprov (0x28000 bytes).\n2026-06-29 05:44:17,049 [root] DEBUG: 4468: NtTerminateProcess hook: Attempting to dump process 4468\n2026-06-29 05:44:17,050 [root] DEBUG: 4468: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 05:44:17,161 [root] INFO: Process with pid 4468 has terminated\n2026-06-29 05:44:17,212 [root] INFO: Added new file to list with pid 2108 and path C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt\n2026-06-29 05:44:17,294 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-29 05:44:17,334 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-29 05:44:17,387 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A5B50000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-06-29 05:44:17,495 [root] DEBUG: 2108: DLL loaded at 0x00007FF994050000: C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32 (0x29a000 bytes).\n2026-06-29 05:44:17,598 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A2720000: C:\\Windows\\system32\\PROPSYS (0xf6000 bytes).\n2026-06-29 05:44:17,611 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-29 05:44:17,662 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A8050000: C:\\Windows\\system32\\profapi (0x1f000 bytes).\n2026-06-29 05:44:17,791 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A8110000: C:\\Windows\\System32\\CFGMGR32 (0x4e000 bytes).\n2026-06-29 05:44:17,795 [root] DEBUG: 2108: DLL loaded at 0x00007FF993730000: C:\\Windows\\system32\\edputil (0x24000 bytes).\n2026-06-29 05:44:17,836 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A1300000: C:\\Windows\\System32\\Windows.StateRepositoryPS (0x146000 bytes).\n2026-06-29 05:44:17,853 [root] DEBUG: 2108: DLL loaded at 0x00007FF9903B0000: C:\\Windows\\System32\\Windows.UI.AppDefaults (0x4c000 bytes).\n2026-06-29 05:44:17,933 [root] DEBUG: 2108: DLL loaded at 0x00007FF99F680000: C:\\Windows\\system32\\iertutil (0x2b0000 bytes).\n2026-06-29 05:44:17,935 [root] DEBUG: 2108: DLL loaded at 0x00007FF99F650000: C:\\Windows\\system32\\srvcli (0x28000 bytes).\n2026-06-29 05:44:17,938 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A75F0000: C:\\Windows\\system32\\netutils (0xc000 bytes).\n2026-06-29 05:44:17,941 [root] DEBUG: 2108: DLL loaded at 0x00007FF99F930000: C:\\Windows\\system32\\urlmon (0x1eb000 bytes).\n2026-06-29 05:44:17,951 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A7200000: C:\\Windows\\system32\\msvcp110_win (0x8a000 bytes).\n2026-06-29 05:44:17,954 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A35E0000: C:\\Windows\\SYSTEM32\\policymanager (0xa0000 bytes).\n2026-06-29 05:44:17,987 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A4DC0000: C:\\Windows\\System32\\wintypes (0x154000 bytes).\n2026-06-29 05:44:18,002 [root] DEBUG: 2108: DLL loaded at 0x00007FF99E080000: C:\\Windows\\System32\\Bcp47Langs (0x5c000 bytes).\n2026-06-29 05:44:18,003 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6C60000: C:\\Windows\\System32\\sppc (0x25000 bytes).\n2026-06-29 05:44:18,005 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6C90000: C:\\Windows\\System32\\SLC (0x29000 bytes).\n2026-06-29 05:44:18,008 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A7F80000: C:\\Windows\\System32\\USERENV (0x2e000 bytes).\n2026-06-29 05:44:18,009 [root] DEBUG: 2108: DLL loaded at 0x00007FF9971F0000: C:\\Windows\\System32\\appresolver (0x90000 bytes).\n2026-06-29 05:44:18,027 [root] DEBUG: 2108: DLL loaded at 0x00007FF99D480000: C:\\Windows\\System32\\OneCoreCommonProxyStub (0x7d000 bytes).\n2026-06-29 05:44:18,045 [root] DEBUG: 2108: DLL loaded at 0x00007FF99EEA0000: C:\\Windows\\System32\\OneCoreUAPCommonProxyStub (0x798000 bytes).\n2026-06-29 05:44:18,075 [root] DEBUG: 2108: CreateProcessHandler: Injection info set for new process 5432: C:\\Windows\\system32\\NOTEPAD.EXE, ImageBase: 0x00007FF737DC0000\n2026-06-29 05:44:18,076 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5432\n2026-06-29 05:44:18,077 [lib.api.process] INFO: Monitor config for process 5432: C:\\2_6me6uj\\dll\\5432.ini\n2026-06-29 05:44:18,083 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:44:18,096 [root] DEBUG: Loader: Injecting process 5432 (thread 5436) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:18,097 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:44:18,098 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:18,101 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:44:18,104 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5432\n2026-06-29 05:44:18,105 [lib.api.process] INFO: Monitor config for process 5432: C:\\2_6me6uj\\dll\\5432.ini\n2026-06-29 05:44:18,109 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:44:18,118 [root] DEBUG: Loader: Injecting process 5432 (thread 5436) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:18,121 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:44:18,122 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:18,124 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:44:18,127 [root] DEBUG: 2108: DLL loaded at 0x00007FF998030000: C:\\Windows\\system32\\MPR (0x1d000 bytes).\n2026-06-29 05:44:18,130 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A31D0000: C:\\Windows\\SYSTEM32\\pcacli (0x16000 bytes).\n2026-06-29 05:44:18,167 [root] DEBUG: 5432: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 05:44:18,168 [root] DEBUG: 5432: Dropped file limit defaulting to 100.\n2026-06-29 05:44:18,176 [root] DEBUG: 5432: Disabling sleep skipping.\n2026-06-29 05:44:18,178 [root] DEBUG: 5432: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 05:44:18,198 [root] DEBUG: 5432: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-29 05:44:18,202 [root] DEBUG: 5432: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee\n2026-06-29 05:44:18,207 [root] DEBUG: 5432: Monitor initialised: 64-bit capemon loaded in process 5432 at 0x00007FF986960000, thread 5436, image base 0x00007FF737DC0000, stack from 0x0000002E2B59F000-0x0000002E2B5B0000\n2026-06-29 05:44:18,208 [root] DEBUG: 5432: Commandline: \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt\n2026-06-29 05:44:18,229 [root] DEBUG: 5432: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-29 05:44:18,279 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-29 05:44:18,281 [root] DEBUG: 5432: set_hooks: Unable to hook LockResource\n2026-06-29 05:44:18,294 [root] DEBUG: 5432: Hooked 630 out of 631 functions\n2026-06-29 05:44:18,299 [root] DEBUG: 5432: Syscall hook installed, syscall logging level 1\n2026-06-29 05:44:18,307 [root] DEBUG: 5432: RestoreHeaders: Restored original import table.\n2026-06-29 05:44:18,309 [root] INFO: Loaded monitor into process with pid 5432\n2026-06-29 05:44:18,318 [root] DEBUG: 5432: caller_dispatch: Added region at 0x00007FF737DC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF737DE5842, thread 5436).\n2026-06-29 05:44:18,319 [root] DEBUG: 5432: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee\n2026-06-29 05:44:18,325 [root] DEBUG: 5432: ProcessImageBase: Main module image at 0x00007FF737DC0000 unmodified (entropy change 0.000000e+00)\n2026-06-29 05:44:18,328 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-29 05:44:18,334 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-29 05:44:18,339 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A5B50000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-06-29 05:44:18,345 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-29 05:44:18,352 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A06E0000: C:\\Windows\\System32\\MrmCoreR (0xf5000 bytes).\n2026-06-29 05:44:18,378 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A7A90000: C:\\Windows\\system32\\Wldp (0x2c000 bytes).\n2026-06-29 05:44:18,379 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A6230000: C:\\Windows\\SYSTEM32\\windows.storage (0x790000 bytes).\n2026-06-29 05:44:18,388 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A9A10000: C:\\Windows\\System32\\MSCTF (0x115000 bytes).\n2026-06-29 05:44:18,424 [root] DEBUG: 5432: DLL loaded at 0x00007FF998F00000: C:\\Windows\\system32\\TextShaping (0xac000 bytes).\n2026-06-29 05:44:18,444 [root] DEBUG: 5432: DLL loaded at 0x00007FF998030000: C:\\Windows\\System32\\MPR (0x1d000 bytes).\n2026-06-29 05:44:18,446 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A4DC0000: C:\\Windows\\SYSTEM32\\wintypes (0x154000 bytes).\n2026-06-29 05:44:18,448 [root] DEBUG: 5432: DLL loaded at 0x00007FF987D80000: C:\\Windows\\System32\\efswrt (0xde000 bytes).\n2026-06-29 05:44:18,457 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A10F0000: C:\\Windows\\System32\\twinapi.appcore (0x201000 bytes).\n2026-06-29 05:44:18,552 [root] DEBUG: 5432: DLL loaded at 0x00007FF992900000: C:\\Windows\\System32\\oleacc (0x66000 bytes).\n2026-06-29 05:44:18,621 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A6E00000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2026-06-29 05:44:18,622 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A57F0000: C:\\Windows\\System32\\CoreMessaging (0xf2000 bytes).\n2026-06-29 05:44:18,626 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A5490000: C:\\Windows\\System32\\CoreUIComponents (0x35e000 bytes).\n2026-06-29 05:44:18,647 [root] DEBUG: 5432: DLL loaded at 0x00007FF99BC00000: C:\\Windows\\SYSTEM32\\textinputframework (0xf9000 bytes).\n2026-06-29 05:44:18,686 [root] DEBUG: 5432: DLL loaded at 0x00007FF99F680000: C:\\Windows\\system32\\iertutil (0x2b0000 bytes).\n2026-06-29 05:44:18,689 [root] DEBUG: 5432: DLL loaded at 0x00007FF99F650000: C:\\Windows\\system32\\srvcli (0x28000 bytes).\n2026-06-29 05:44:18,690 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A75F0000: C:\\Windows\\system32\\netutils (0xc000 bytes).\n2026-06-29 05:44:18,698 [root] DEBUG: 5432: DLL loaded at 0x00007FF99F930000: C:\\Windows\\system32\\urlmon (0x1eb000 bytes).\n2026-06-29 05:44:18,720 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A9450000: C:\\Windows\\System32\\COMDLG32 (0xda000 bytes).\n2026-06-29 05:44:18,728 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A2720000: C:\\Windows\\system32\\PROPSYS (0xf6000 bytes).\n2026-06-29 05:44:23,230 [root] DEBUG: 2108: NtTerminateProcess hook: Attempting to dump process 2108\n2026-06-29 05:44:23,234 [root] DEBUG: 2108: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching\n2026-06-29 05:44:23,248 [root] DEBUG: 2108: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF79A450000.\n2026-06-29 05:44:23,250 [root] DEBUG: 2108: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 05:44:23,251 [root] DEBUG: 2108: DumpProcess: Instantiating PeParser with address: 0x00007FF79A450000.\n2026-06-29 05:44:23,254 [root] DEBUG: 2108: DumpProcess: Module entry point VA is 0x00007FF79A468F50.\n2026-06-29 05:44:23,275 [lib.common.results] INFO: Uploading file C:\\ngIpjVKr\\CAPE\\2108_1053723441229162026 to procdump\\238cf97018bf3c257a80f8509fc1efce6ac4a8bf5ff3a07dfbbdff994135f05f; Size is 403456; Max size: 100000000\n2026-06-29 05:44:23,287 [root] DEBUG: 2108: DumpProcess: Module image dump success - dump size 0x62800.\n2026-06-29 05:44:23,310 [root] INFO: Process with pid 2108 has terminated\n2026-06-29 05:44:23,392 [root] DEBUG: 3636: NtTerminateProcess hook: Attempting to dump process 3636\n2026-06-29 05:44:23,394 [root] DEBUG: 3636: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching\n2026-06-29 05:44:23,396 [root] DEBUG: 3636: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF79A450000.\n2026-06-29 05:44:23,397 [root] DEBUG: 3636: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 05:44:23,400 [root] DEBUG: 3636: DumpProcess: Instantiating PeParser with address: 0x00007FF79A450000.\n2026-06-29 05:44:23,402 [root] DEBUG: 3636: DumpProcess: Module entry point VA is 0x00007FF79A468F50.\n2026-06-29 05:44:23,411 [lib.common.results] INFO: Uploading file C:\\ngIpjVKr\\CAPE\\3636_48993823441229162026 to procdump\\87fc8ef8bc1a66ad7ebff4fa1fda65a6e8a58b6776da2bc87d16a0b8e29b097a; Size is 401920; Max size: 100000000\n2026-06-29 05:44:23,421 [root] DEBUG: 3636: DumpProcess: Module image dump success - dump size 0x62200.\n2026-06-29 05:44:23,440 [root] INFO: Process with pid 3636 has terminated\n2026-06-29 05:44:46,391 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 5760: C:\\Windows\\system32\\DllHost.exe, ImageBase: 0x00007FF6F8BE0000\n2026-06-29 05:44:46,394 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 5760\n2026-06-29 05:44:46,397 [lib.api.process] INFO: Monitor config for process 5760: C:\\2_6me6uj\\dll\\5760.ini\n2026-06-29 05:44:46,421 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:44:46,440 [root] DEBUG: Loader: Injecting process 5760 (thread 4664) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:46,442 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:44:46,445 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:46,451 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:44:46,454 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 5760\n2026-06-29 05:44:46,455 [lib.api.process] INFO: Monitor config for process 5760: C:\\2_6me6uj\\dll\\5760.ini\n2026-06-29 05:44:46,467 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:44:46,485 [root] DEBUG: Loader: Injecting process 5760 (thread 4664) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:46,487 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:44:46,488 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:44:46,500 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:44:46,516 [root] DEBUG: 5760: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 05:44:46,517 [root] DEBUG: 5760: Dropped file limit defaulting to 100.\n2026-06-29 05:44:46,535 [root] DEBUG: 5760: Disabling sleep skipping.\n2026-06-29 05:44:46,546 [root] DEBUG: 5760: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 05:44:46,571 [root] DEBUG: 5760: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-29 05:44:46,576 [root] DEBUG: 5760: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026\n2026-06-29 05:44:46,578 [root] DEBUG: 5760: Monitor initialised: 64-bit capemon loaded in process 5760 at 0x00007FF986960000, thread 4664, image base 0x00007FF6F8BE0000, stack from 0x000000AE04D44000-0x000000AE04D50000\n2026-06-29 05:44:46,580 [root] DEBUG: 5760: Commandline: C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\n2026-06-29 05:44:46,702 [root] DEBUG: 5760: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-29 05:44:47,008 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-29 05:44:47,231 [root] DEBUG: 5760: set_hooks: Unable to hook LockResource\n2026-06-29 05:44:47,278 [root] DEBUG: 5760: Hooked 630 out of 631 functions\n2026-06-29 05:44:47,296 [root] DEBUG: 5760: Syscall hook installed, syscall logging level 1\n2026-06-29 05:44:47,314 [root] DEBUG: 5760: RestoreHeaders: Restored original import table.\n2026-06-29 05:44:47,315 [root] INFO: Loaded monitor into process with pid 5760\n2026-06-29 05:44:47,317 [root] DEBUG: 5760: caller_dispatch: Added region at 0x00007FF6F8BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F8BE12F2, thread 4664).\n2026-06-29 05:44:47,329 [root] DEBUG: 5760: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026\n2026-06-29 05:44:47,332 [root] DEBUG: 5760: ProcessImageBase: Main module image at 0x00007FF6F8BE0000 unmodified (entropy change 0.000000e+00)\n2026-06-29 05:44:47,344 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-29 05:44:47,348 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-29 05:44:47,362 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-29 05:44:47,395 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A5B50000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-06-29 05:44:47,438 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A9D30000: C:\\Windows\\System32\\shcore (0xad000 bytes).\n2026-06-29 05:44:47,442 [root] DEBUG: 5760: DLL loaded at 0x00007FF992850000: C:\\Windows\\System32\\thumbcache (0x66000 bytes).\n2026-06-29 05:44:47,457 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A2720000: C:\\Windows\\system32\\propsys (0xf6000 bytes).\n2026-06-29 05:44:52,532 [root] INFO: Process with pid 5760 has terminated\n2026-06-29 05:44:52,534 [root] DEBUG: 5760: NtTerminateProcess hook: Attempting to dump process 5760\n2026-06-29 05:44:52,536 [root] DEBUG: 5760: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 05:45:15,890 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 4440: C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe, ImageBase: 0x00007FF620BA0000\n2026-06-29 05:45:15,894 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 4440\n2026-06-29 05:45:15,896 [lib.api.process] INFO: Monitor config for process 4440: C:\\2_6me6uj\\dll\\4440.ini\n2026-06-29 05:45:17,954 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:45:17,973 [root] DEBUG: Loader: Injecting process 4440 (thread 4536) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:17,975 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:45:17,976 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:17,982 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:45:17,986 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 4440\n2026-06-29 05:45:17,988 [lib.api.process] INFO: Monitor config for process 4440: C:\\2_6me6uj\\dll\\4440.ini\n2026-06-29 05:45:19,501 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:45:19,520 [root] DEBUG: Loader: Injecting process 4440 (thread 4536) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:19,522 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:45:19,523 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:19,530 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:45:19,534 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 4440\n2026-06-29 05:45:19,535 [lib.api.process] INFO: Monitor config for process 4440: C:\\2_6me6uj\\dll\\4440.ini\n2026-06-29 05:45:21,339 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:45:21,358 [root] DEBUG: Loader: Injecting process 4440 with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:21,376 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 4536, handle 0x10c\n2026-06-29 05:45:21,378 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2026-06-29 05:45:21,379 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:21,388 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:45:44,366 [root] DEBUG: 2868: NtTerminateProcess hook: Attempting to dump process 2868\n2026-06-29 05:45:44,368 [root] DEBUG: 2868: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 05:45:44,374 [root] INFO: Process with pid 2868 has terminated\n2026-06-29 05:45:47,998 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 3904: C:\\Windows\\system32\\DllHost.exe, ImageBase: 0x00007FF6F8BE0000\n2026-06-29 05:45:48,179 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 3904\n2026-06-29 05:45:48,195 [lib.api.process] INFO: Monitor config for process 3904: C:\\2_6me6uj\\dll\\3904.ini\n2026-06-29 05:45:48,205 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:45:48,220 [root] DEBUG: Loader: Injecting process 3904 (thread 4108) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:48,223 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:45:48,224 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:48,230 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:45:48,234 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 3904\n2026-06-29 05:45:48,237 [lib.api.process] INFO: Monitor config for process 3904: C:\\2_6me6uj\\dll\\3904.ini\n2026-06-29 05:45:48,244 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\pKwfPInu.dll, loader C:\\2_6me6uj\\bin\\QfFFmdso.exe\n2026-06-29 05:45:48,258 [root] DEBUG: Loader: Injecting process 3904 (thread 4108) with C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:48,260 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 05:45:48,261 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\pKwfPInu.dll.\n2026-06-29 05:45:48,266 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 05:45:48,282 [root] DEBUG: 3904: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 05:45:48,284 [root] DEBUG: 3904: Dropped file limit defaulting to 100.\n2026-06-29 05:45:48,289 [root] DEBUG: 3904: Disabling sleep skipping.\n2026-06-29 05:45:48,295 [root] DEBUG: 3904: YaraInit: Compiled rules loaded from existing file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 05:45:48,318 [root] DEBUG: 3904: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-29 05:45:48,321 [root] DEBUG: 3904: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026\n2026-06-29 05:45:48,324 [root] DEBUG: 3904: Monitor initialised: 64-bit capemon loaded in process 3904 at 0x00007FF986960000, thread 4108, image base 0x00007FF6F8BE0000, stack from 0x0000009DE78F4000-0x0000009DE7900000\n2026-06-29 05:45:48,327 [root] DEBUG: 3904: Commandline: C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\n2026-06-29 05:45:48,343 [root] DEBUG: 3904: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-29 05:45:48,394 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-29 05:45:48,395 [root] DEBUG: 3904: set_hooks: Unable to hook LockResource\n2026-06-29 05:45:48,409 [root] DEBUG: 3904: Hooked 630 out of 631 functions\n2026-06-29 05:45:48,412 [root] DEBUG: 3904: Syscall hook installed, syscall logging level 1\n2026-06-29 05:45:48,423 [root] DEBUG: 3904: RestoreHeaders: Restored original import table.\n2026-06-29 05:45:48,424 [root] INFO: Loaded monitor into process with pid 3904\n2026-06-29 05:45:48,428 [root] DEBUG: 3904: caller_dispatch: Added region at 0x00007FF6F8BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F8BE12F2, thread 4108).\n2026-06-29 05:45:48,429 [root] DEBUG: 3904: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026\n2026-06-29 05:45:48,433 [root] DEBUG: 3904: ProcessImageBase: Main module image at 0x00007FF6F8BE0000 unmodified (entropy change 0.000000e+00)\n2026-06-29 05:45:48,439 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-29 05:45:48,443 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-29 05:45:48,450 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-29 05:45:48,482 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A5B50000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-06-29 05:45:48,515 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A9D30000: C:\\Windows\\System32\\shcore (0xad000 bytes).\n2026-06-29 05:45:48,517 [root] DEBUG: 3904: DLL loaded at 0x00007FF992850000: C:\\Windows\\System32\\thumbcache (0x66000 bytes).\n2026-06-29 05:45:48,582 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A2720000: C:\\Windows\\system32\\propsys (0xf6000 bytes).\n2026-06-29 05:45:53,882 [root] INFO: Process with pid 3904 has terminated\n2026-06-29 05:45:53,885 [root] DEBUG: 3904: NtTerminateProcess hook: Attempting to dump process 3904\n2026-06-29 05:45:53,887 [root] DEBUG: 3904: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 05:47:27,753 [root] INFO: Analysis timeout hit, terminating analysis\n2026-06-29 05:47:27,757 [lib.api.process] INFO: Terminate event set for process 756\n2026-06-29 05:47:27,758 [root] DEBUG: 756: Terminate Event: Attempting to dump process 756\n2026-06-29 05:47:27,760 [root] DEBUG: 756: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 05:47:27,766 [lib.api.process] INFO: Termination confirmed for process 756\n2026-06-29 05:47:27,766 [root] INFO: Terminate event set for process 756\n2026-06-29 05:47:27,767 [root] DEBUG: 756: Terminate Event: monitor shutdown complete for process 756\n2026-06-29 05:47:27,769 [lib.api.process] INFO: Terminate event set for process 3036\n2026-06-29 05:47:27,770 [root] DEBUG: 3036: Terminate Event: Attempting to dump process 3036\n2026-06-29 05:47:27,772 [root] DEBUG: 3036: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 05:47:27,776 [lib.api.process] INFO: Termination confirmed for process 3036\n2026-06-29 05:47:27,777 [root] INFO: Terminate event set for process 3036\n2026-06-29 05:47:27,777 [lib.api.process] INFO: Terminate event set for process 5432\n2026-06-29 05:47:27,779 [root] DEBUG: 3036: Terminate Event: monitor shutdown complete for process 3036\n2026-06-29 05:47:27,783 [root] DEBUG: 5432: Terminate Event: Attempting to dump process 5432\n2026-06-29 05:47:27,788 [root] DEBUG: 5432: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-06-29 05:47:27,802 [root] DEBUG: 5432: Terminate Event: Shutdown complete for process 5432 but failed to inform analyzer.\n2026-06-29 05:47:32,783 [lib.api.process] INFO: Termination confirmed for process 5432\n2026-06-29 05:47:32,784 [root] INFO: Terminate event set for process 5432\n2026-06-29 05:47:32,786 [root] INFO: Created shutdown mutex\n2026-06-29 05:47:33,787 [root] INFO: Shutting down package\n2026-06-29 05:47:33,788 [root] INFO: Stopping auxiliary modules\n2026-06-29 05:47:33,789 [root] INFO: Stopping auxiliary module: Browser\n2026-06-29 05:47:33,790 [root] INFO: Stopping auxiliary module: Human\n2026-06-29 05:47:34,820 [root] INFO: Stopping auxiliary module: Screenshots\n2026-06-29 05:47:34,821 [root] INFO: Finishing auxiliary modules\n2026-06-29 05:47:34,822 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-06-29 05:47:34,828 [lib.common.results] INFO: Uploading file C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt to files\\1579f6235bdcda8ced8fb6c161a9cfa55c8dddca53970f9683236c9ceca581c3; Size is 2365; Max size: 100000000\n2026-06-29 05:47:34,835 [root] WARNING: Folder at path \"C:\\ngIpjVKr\\debugger\" does not exist, skipping\n2026-06-29 05:47:34,836 [root] WARNING: Folder at path \"C:\\ngIpjVKr\\tlsdump\" does not exist, skipping\n2026-06-29 05:47:34,909 [root] WARNING: Monitor injection attempted but failed for process 4440\n2026-06-29 05:47:34,910 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "2fc9ba960adfa46dd18355d6d2c2933aac8eec0c8124ba63a7c305183b9b19fe", "hosts": [ { "ip": "173.194.76.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "108.177.15.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "40.126.31.131", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "108.177.15.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.84", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "66.102.1.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.138", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.133.95", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.150.119", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.168.100", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.206.101", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "74.125.71.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.16.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [], "tcp": [ { "src": "192.168.122.139", "sport": 49696, "dst": "142.251.16.94", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.122.139", "sport": 49697, "dst": "74.125.71.94", "dport": 443, "offset": 95, "time": 0.047567129135131836 }, { "src": "192.168.122.139", "sport": 49698, "dst": "74.125.206.101", "dport": 443, "offset": 306, "time": 1.6093809604644775 }, { "src": "192.168.122.139", "sport": 49681, "dst": "142.251.168.100", "dport": 443, "offset": 447, "time": 4.832211017608643 }, { "src": "192.168.122.139", "sport": 49754, "dst": "142.251.168.139", "dport": 443, "offset": 1118, "time": 4.944663047790527 }, { "src": "192.168.122.139", "sport": 49755, "dst": "142.251.16.94", "dport": 443, "offset": 10697, "time": 5.133940935134888 }, { "src": "192.168.122.139", "sport": 49679, "dst": "142.251.150.119", "dport": 443, "offset": 15462, "time": 6.979560136795044 }, { "src": "192.168.122.139", "sport": 49686, "dst": "74.125.133.95", "dport": 443, "offset": 15815, "time": 9.457056045532227 }, { "src": "192.168.122.139", "sport": 49687, "dst": "74.125.206.138", "dport": 443, "offset": 15956, "time": 9.761790990829468 }, { "src": "192.168.122.139", "sport": 49682, "dst": "66.102.1.138", "dport": 443, "offset": 16097, "time": 10.20424199104309 }, { "src": "192.168.122.139", "sport": 49680, "dst": "74.125.206.84", "dport": 443, "offset": 16238, "time": 17.055225133895874 }, { "src": "192.168.122.139", "sport": 49683, "dst": "108.177.15.94", "dport": 443, "offset": 16379, "time": 18.671124935150146 }, { "src": "192.168.122.139", "sport": 49688, "dst": "108.177.15.139", "dport": 443, "offset": 16884, "time": 22.15230703353882 }, { "src": "192.168.122.139", "sport": 49762, "dst": "40.126.31.131", "dport": 443, "offset": 17177, "time": 22.172132968902588 }, { "src": "192.168.122.139", "sport": 49693, "dst": "173.194.76.94", "dport": 443, "offset": 40321, "time": 27.11421799659729 }, { "src": "192.168.122.139", "sport": 49695, "dst": "108.177.15.139", "dport": 443, "offset": 138837, "time": 30.897834062576294 }, { "src": "192.168.122.139", "sport": 49767, "dst": "74.178.76.54", "dport": 443, "offset": 176348, "time": 33.6988890171051 }, { "src": "192.168.122.139", "sport": 49769, "dst": "74.178.76.128", "dport": 443, "offset": 185932, "time": 33.92841410636902 }, { "src": "192.168.122.139", "sport": 49775, "dst": "151.101.62.172", "dport": 80, "offset": 224317, "time": 94.22342801094055 } ], "udp": [ { "src": "192.168.122.139", "sport": 5353, "dst": "224.0.0.251", "dport": 5353, "offset": 10297, "time": 5.019844055175781 }, { "src": "192.168.122.139", "sport": 50813, "dst": "224.0.0.252", "dport": 5355, "offset": 10465, "time": 5.030864953994751 }, { "src": "192.168.122.139", "sport": 62885, "dst": "192.168.122.1", "dport": 53, "offset": 15226, "time": 5.704198122024536 }, { "src": "192.168.122.139", "sport": 56063, "dst": "192.168.122.1", "dport": 53, "offset": 40462, "time": 27.682673931121826 }, { "src": "192.168.122.139", "sport": 55300, "dst": "224.0.0.252", "dport": 5355, "offset": 40651, "time": 27.687101125717163 }, { "src": "192.168.122.139", "sport": 55301, "dst": "239.255.255.250", "dport": 1900, "offset": 138605, "time": 30.725539922714233 }, { "src": "192.168.122.139", "sport": 58931, "dst": "192.168.122.1", "dport": 53, "offset": 139512, "time": 33.410784006118774 }, { "src": "192.168.122.139", "sport": 59546, "dst": "192.168.122.1", "dport": 53, "offset": 175485, "time": 33.66808104515076 }, { "src": "192.168.122.139", "sport": 63303, "dst": "192.168.122.1", "dport": 53, "offset": 175787, "time": 33.6749210357666 }, { "src": "192.168.122.139", "sport": 55855, "dst": "192.168.122.1", "dport": 53, "offset": 180539, "time": 33.77285408973694 }, { "src": "192.168.122.139", "sport": 57517, "dst": "192.168.122.1", "dport": 53, "offset": 221748, "time": 83.12623405456543 }, { "src": "192.168.122.139", "sport": 57518, "dst": "239.255.255.250", "dport": 1900, "offset": 227593, "time": 150.7381329536438 } ], "icmp": [], "http": [], "dns": [], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "ip": "173.194.76.94" }, { "ip": "108.177.15.139" }, { "ip": "40.126.31.131" }, { "ip": "108.177.15.94" }, { "ip": "74.125.206.84" }, { "ip": "66.102.1.138" }, { "ip": "74.125.206.138" }, { "ip": "74.125.133.95" }, { "ip": "142.251.150.119" }, { "ip": "142.251.168.139" }, { "ip": "142.251.168.100" }, { "ip": "74.125.206.101" }, { "ip": "74.125.71.94" }, { "ip": "142.251.16.94" } ], "new_data": [], "alert": false, "families": [] }, { "name": "antivm_checks_available_memory", "description": "Checks available memory", "categories": [ "antivm" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 5432, "cid": 1254 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_keyboard_layout", "description": "Queries the keyboard layout", "categories": [ "location_discovery" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 5432, "cid": 918 }, { "type": "call", "pid": 5432, "cid": 923 }, { "type": "call", "pid": 5432, "cid": 997 }, { "type": "call", "pid": 5432, "cid": 1023 }, { "type": "call", "pid": 5432, "cid": 1060 }, { "type": "call", "pid": 5432, "cid": 1138 }, { "type": "call", "pid": 5432, "cid": 1142 }, { "type": "call", "pid": 5432, "cid": 1144 }, { "type": "call", "pid": 5432, "cid": 1146 }, { "type": "call", "pid": 5432, "cid": 1350 }, { "type": "call", "pid": 5432, "cid": 1354 }, { "type": "call", "pid": 5432, "cid": 1539 }, { "type": "call", "pid": 5432, "cid": 1558 }, { "type": "call", "pid": 5432, "cid": 1560 }, { "type": "call", "pid": 5432, "cid": 1562 }, { "type": "call", "pid": 5432, "cid": 1564 }, { "type": "call", "pid": 5432, "cid": 1568 }, { "type": "call", "pid": 5432, "cid": 1571 }, { "type": "call", "pid": 5432, "cid": 1575 }, { "type": "call", "pid": 5432, "cid": 1577 }, { "type": "call", "pid": 5432, "cid": 1579 }, { "type": "call", "pid": 5432, "cid": 1581 }, { "type": "call", "pid": 5432, "cid": 1586 }, { "type": "call", "pid": 5432, "cid": 1588 }, { "type": "call", "pid": 5432, "cid": 1590 }, { "type": "call", "pid": 5432, "cid": 1592 }, { "type": "call", "pid": 5432, "cid": 1594 }, { "type": "call", "pid": 5432, "cid": 1596 }, { "type": "call", "pid": 5432, "cid": 1598 }, { "type": "call", "pid": 5432, "cid": 1600 }, { "type": "call", "pid": 5432, "cid": 1602 }, { "type": "call", "pid": 5432, "cid": 1604 }, { "type": "call", "pid": 5432, "cid": 1607 }, { "type": "call", "pid": 5432, "cid": 1609 }, { "type": "call", "pid": 5432, "cid": 1613 }, { "type": "call", "pid": 5432, "cid": 1615 }, { "type": "call", "pid": 5432, "cid": 1617 }, { "type": "call", "pid": 5432, "cid": 1621 }, { "type": "call", "pid": 5432, "cid": 1624 }, { "type": "call", "pid": 5432, "cid": 1626 }, { "type": "call", "pid": 5432, "cid": 1628 }, { "type": "call", "pid": 5432, "cid": 1631 }, { "type": "call", "pid": 5432, "cid": 1640 }, { "type": "call", "pid": 5432, "cid": 1648 }, { "type": "call", "pid": 5432, "cid": 1650 }, { "type": "call", "pid": 5432, "cid": 1653 }, { "type": "call", "pid": 5432, "cid": 1655 }, { "type": "call", "pid": 5432, "cid": 1657 }, { "type": "call", "pid": 5432, "cid": 1659 }, { "type": "call", "pid": 5432, "cid": 1661 }, { "type": "call", "pid": 5432, "cid": 1663 }, { "type": "call", "pid": 5432, "cid": 1665 }, { "type": "call", "pid": 5432, "cid": 1667 }, { "type": "call", "pid": 5432, "cid": 1669 }, { "type": "call", "pid": 5432, "cid": 1671 }, { "type": "call", "pid": 5432, "cid": 1673 }, { "type": "call", "pid": 5432, "cid": 1675 }, { "type": "call", "pid": 5432, "cid": 1677 }, { "type": "call", "pid": 5432, "cid": 1679 }, { "type": "call", "pid": 5432, "cid": 1681 }, { "type": "call", "pid": 5432, "cid": 1683 }, { "type": "call", "pid": 5432, "cid": 1685 }, { "type": "call", "pid": 5432, "cid": 1687 }, { "type": "call", "pid": 5432, "cid": 1689 }, { "type": "call", "pid": 5432, "cid": 1691 }, { "type": "call", "pid": 5432, "cid": 1693 }, { "type": "call", "pid": 5432, "cid": 1695 }, { "type": "call", "pid": 5432, "cid": 1697 }, { "type": "call", "pid": 5432, "cid": 1699 }, { "type": "call", "pid": 5432, "cid": 1701 }, { "type": "call", "pid": 5432, "cid": 1703 }, { "type": "call", "pid": 5432, "cid": 1705 }, { "type": "call", "pid": 5432, "cid": 1707 }, { "type": "call", "pid": 5432, "cid": 1709 }, { "type": "call", "pid": 5432, "cid": 1711 }, { "type": "call", "pid": 5432, "cid": 1713 }, { "type": "call", "pid": 5432, "cid": 1715 }, { "type": "call", "pid": 5432, "cid": 1717 }, { "type": "call", "pid": 5432, "cid": 1719 }, { "type": "call", "pid": 5432, "cid": 1721 }, { "type": "call", "pid": 5432, "cid": 1723 }, { "type": "call", "pid": 5432, "cid": 1725 }, { "type": "call", "pid": 5432, "cid": 1727 }, { "type": "call", "pid": 5432, "cid": 1729 }, { "type": "call", "pid": 5432, "cid": 1731 }, { "type": "call", "pid": 5432, "cid": 1733 }, { "type": "call", "pid": 5432, "cid": 1735 }, { "type": "call", "pid": 5432, "cid": 1737 }, { "type": "call", "pid": 5432, "cid": 1739 }, { "type": "call", "pid": 5432, "cid": 1741 }, { "type": "call", "pid": 5432, "cid": 1743 }, { "type": "call", "pid": 5432, "cid": 1745 }, { "type": "call", "pid": 5432, "cid": 1747 }, { "type": "call", "pid": 5432, "cid": 1749 }, { "type": "call", "pid": 5432, "cid": 1751 }, { "type": "call", "pid": 5432, "cid": 1753 }, { "type": "call", "pid": 5432, "cid": 1755 }, { "type": "call", "pid": 5432, "cid": 1757 }, { "type": "call", "pid": 5432, "cid": 1759 }, { "type": "call", "pid": 5432, "cid": 1761 }, { "type": "call", "pid": 5432, "cid": 1763 }, { "type": "call", "pid": 5432, "cid": 1765 }, { "type": "call", "pid": 5432, "cid": 1767 }, { "type": "call", "pid": 5432, "cid": 1769 }, { "type": "call", "pid": 5432, "cid": 1771 }, { "type": "call", "pid": 5432, "cid": 1773 }, { "type": "call", "pid": 5432, "cid": 1775 }, { "type": "call", "pid": 5432, "cid": 1777 }, { "type": "call", "pid": 5432, "cid": 1779 }, { "type": "call", "pid": 5432, "cid": 1781 }, { "type": "call", "pid": 5432, "cid": 1783 }, { "type": "call", "pid": 5432, "cid": 1785 }, { "type": "call", "pid": 5432, "cid": 1787 }, { "type": "call", "pid": 5432, "cid": 1789 }, { "type": "call", "pid": 5432, "cid": 1791 }, { "type": "call", "pid": 5432, "cid": 1793 }, { "type": "call", "pid": 5432, "cid": 1795 }, { "type": "call", "pid": 5432, "cid": 1797 }, { "type": "call", "pid": 5432, "cid": 1799 }, { "type": "call", "pid": 5432, "cid": 1801 }, { "type": "call", "pid": 5432, "cid": 1803 }, { "type": "call", "pid": 5432, "cid": 1805 }, { "type": "call", "pid": 5432, "cid": 1807 }, { "type": "call", "pid": 5432, "cid": 1809 }, { "type": "call", "pid": 5432, "cid": 1811 }, { "type": "call", "pid": 5432, "cid": 1813 }, { "type": "call", "pid": 5432, "cid": 1815 }, { "type": "call", "pid": 5432, "cid": 1817 }, { "type": "call", "pid": 5432, "cid": 1819 }, { "type": "call", "pid": 5432, "cid": 1821 }, { "type": "call", "pid": 5432, "cid": 1823 }, { "type": "call", "pid": 5432, "cid": 1825 }, { "type": "call", "pid": 5432, "cid": 1827 }, { "type": "call", "pid": 5432, "cid": 1829 }, { "type": "call", "pid": 5432, "cid": 1831 }, { "type": "call", "pid": 5432, "cid": 1833 }, { "type": "call", "pid": 5432, "cid": 1835 }, { "type": "call", "pid": 5432, "cid": 1837 }, { "type": "call", "pid": 5432, "cid": 1839 }, { "type": "call", "pid": 5432, "cid": 1841 }, { "type": "call", "pid": 5432, "cid": 1843 }, { "type": "call", "pid": 5432, "cid": 1845 }, { "type": "call", "pid": 5432, "cid": 1847 }, { "type": "call", "pid": 5432, "cid": 1849 }, { "type": "call", "pid": 5432, "cid": 1851 }, { "type": "call", "pid": 5432, "cid": 1853 }, { "type": "call", "pid": 5432, "cid": 1855 }, { "type": "call", "pid": 5432, "cid": 1857 }, { "type": "call", "pid": 5432, "cid": 1859 }, { "type": "call", "pid": 5432, "cid": 1861 }, { "type": "call", "pid": 5432, "cid": 1863 }, { "type": "call", "pid": 5432, "cid": 1865 }, { "type": "call", "pid": 5432, "cid": 1867 }, { "type": "call", "pid": 5432, "cid": 1869 }, { "type": "call", "pid": 5432, "cid": 1871 }, { "type": "call", "pid": 5432, "cid": 1873 }, { "type": "call", "pid": 5432, "cid": 1875 }, { "type": "call", "pid": 5432, "cid": 1877 }, { "type": "call", "pid": 5432, "cid": 1879 }, { "type": "call", "pid": 5432, "cid": 1881 }, { "type": "call", "pid": 5432, "cid": 1883 }, { "type": "call", "pid": 5432, "cid": 1885 }, { "type": "call", "pid": 5432, "cid": 1887 }, { "type": "call", "pid": 5432, "cid": 1889 }, { "type": "call", "pid": 5432, "cid": 1891 }, { "type": "call", "pid": 5432, "cid": 1893 }, { "type": "call", "pid": 5432, "cid": 1895 }, { "type": "call", "pid": 5432, "cid": 1897 }, { "type": "call", "pid": 5432, "cid": 1899 }, { "type": "call", "pid": 5432, "cid": 1901 }, { "type": "call", "pid": 5432, "cid": 1903 }, { "type": "call", "pid": 5432, "cid": 1905 }, { "type": "call", "pid": 5432, "cid": 1907 }, { "type": "call", "pid": 5432, "cid": 1909 }, { "type": "call", "pid": 5432, "cid": 1911 }, { "type": "call", "pid": 5432, "cid": 1913 }, { "type": "call", "pid": 5432, "cid": 1915 }, { "type": "call", "pid": 5432, "cid": 1917 }, { "type": "call", "pid": 5432, "cid": 1919 }, { "type": "call", "pid": 5432, "cid": 1921 }, { "type": "call", "pid": 5432, "cid": 1923 }, { "type": "call", "pid": 5432, "cid": 1925 }, { "type": "call", "pid": 5432, "cid": 1927 }, { "type": "call", "pid": 5432, "cid": 1929 }, { "type": "call", "pid": 5432, "cid": 1931 }, { "type": "call", "pid": 5432, "cid": 1933 }, { "type": "call", "pid": 5432, "cid": 1935 }, { "type": "call", "pid": 5432, "cid": 1937 }, { "type": "call", "pid": 5432, "cid": 1939 }, { "type": "call", "pid": 5432, "cid": 1941 }, { "type": "call", "pid": 5432, "cid": 1943 }, { "type": "call", "pid": 5432, "cid": 1945 }, { "type": "call", "pid": 5432, "cid": 1947 }, { "type": "call", "pid": 5432, "cid": 1949 }, { "type": "call", "pid": 5432, "cid": 1951 }, { "type": "call", "pid": 5432, "cid": 1953 }, { "type": "call", "pid": 5432, "cid": 1955 }, { "type": "call", "pid": 5432, "cid": 1957 }, { "type": "call", "pid": 5432, "cid": 1959 }, { "type": "call", "pid": 5432, "cid": 1961 }, { "type": "call", "pid": 5432, "cid": 1963 }, { "type": "call", "pid": 5432, "cid": 1965 }, { "type": "call", "pid": 5432, "cid": 1967 }, { "type": "call", "pid": 5432, "cid": 1969 }, { "type": "call", "pid": 5432, "cid": 1971 }, { "type": "call", "pid": 5432, "cid": 1973 }, { "type": "call", "pid": 5432, "cid": 1975 }, { "type": "call", "pid": 5432, "cid": 1977 }, { "type": "call", "pid": 5432, "cid": 1979 }, { "type": "call", "pid": 5432, "cid": 1981 }, { "type": "call", "pid": 5432, "cid": 1983 }, { "type": "call", "pid": 5432, "cid": 1985 }, { "type": "call", "pid": 5432, "cid": 1987 }, { "type": "call", "pid": 5432, "cid": 1989 }, { "type": "call", "pid": 5432, "cid": 1991 }, { "type": "call", "pid": 5432, "cid": 1993 }, { "type": "call", "pid": 5432, "cid": 1995 }, { "type": "call", "pid": 5432, "cid": 1997 }, { "type": "call", "pid": 5432, "cid": 1999 }, { "type": "call", "pid": 5432, "cid": 2001 }, { "type": "call", "pid": 5432, "cid": 2003 }, { "type": "call", "pid": 5432, "cid": 2005 }, { "type": "call", "pid": 5432, "cid": 2007 }, { "type": "call", "pid": 5432, "cid": 2009 }, { "type": "call", "pid": 5432, "cid": 2011 }, { "type": "call", "pid": 5432, "cid": 2013 }, { "type": "call", "pid": 5432, "cid": 2015 }, { "type": "call", "pid": 5432, "cid": 2017 }, { "type": "call", "pid": 5432, "cid": 2019 }, { "type": "call", "pid": 5432, "cid": 2021 }, { "type": "call", "pid": 5432, "cid": 2023 }, { "type": "call", "pid": 5432, "cid": 2025 }, { "type": "call", "pid": 5432, "cid": 2027 }, { "type": "call", "pid": 5432, "cid": 2029 }, { "type": "call", "pid": 5432, "cid": 2031 }, { "type": "call", "pid": 5432, "cid": 2033 }, { "type": "call", "pid": 5432, "cid": 2035 }, { "type": "call", "pid": 5432, "cid": 2038 }, { "type": "call", "pid": 5432, "cid": 2040 }, { "type": "call", "pid": 5432, "cid": 2042 }, { "type": "call", "pid": 5432, "cid": 2044 }, { "type": "call", "pid": 5432, "cid": 2046 }, { "type": "call", "pid": 5432, "cid": 2048 }, { "type": "call", "pid": 5432, "cid": 2050 }, { "type": "call", "pid": 5432, "cid": 2052 }, { "type": "call", "pid": 5432, "cid": 2054 }, { "type": "call", "pid": 5432, "cid": 2056 }, { "type": "call", "pid": 5432, "cid": 2058 }, { "type": "call", "pid": 5432, "cid": 2060 }, { "type": "call", "pid": 5432, "cid": 2062 }, { "type": "call", "pid": 5432, "cid": 2064 }, { "type": "call", "pid": 5432, "cid": 2066 }, { "type": "call", "pid": 5432, "cid": 2068 }, { "type": "call", "pid": 5432, "cid": 2070 }, { "type": "call", "pid": 5432, "cid": 2072 }, { "type": "call", "pid": 5432, "cid": 2074 }, { "type": "call", "pid": 5432, "cid": 2076 }, { "type": "call", "pid": 5432, "cid": 2078 }, { "type": "call", "pid": 5432, "cid": 2080 }, { "type": "call", "pid": 5432, "cid": 2082 }, { "type": "call", "pid": 5432, "cid": 2084 }, { "type": "call", "pid": 5432, "cid": 2086 }, { "type": "call", "pid": 5432, "cid": 2088 }, { "type": "call", "pid": 5432, "cid": 2090 }, { "type": "call", "pid": 5432, "cid": 2092 }, { "type": "call", "pid": 5432, "cid": 2094 }, { "type": "call", "pid": 5432, "cid": 2096 }, { "type": "call", "pid": 5432, "cid": 2098 }, { "type": "call", "pid": 5432, "cid": 2100 }, { "type": "call", "pid": 5432, "cid": 2102 }, { "type": "call", "pid": 5432, "cid": 2104 }, { "type": "call", "pid": 5432, "cid": 2106 }, { "type": "call", "pid": 5432, "cid": 2108 }, { "type": "call", "pid": 5432, "cid": 2110 }, { "type": "call", "pid": 5432, "cid": 2112 }, { "type": "call", "pid": 5432, "cid": 2114 }, { "type": "call", "pid": 5432, "cid": 2116 }, { "type": "call", "pid": 5432, "cid": 2118 }, { "type": "call", "pid": 5432, "cid": 2120 }, { "type": "call", "pid": 5432, "cid": 2122 }, { "type": "call", "pid": 5432, "cid": 2124 }, { "type": "call", "pid": 5432, "cid": 2126 }, { "type": "call", "pid": 5432, "cid": 2128 }, { "type": "call", "pid": 5432, "cid": 2130 }, { "type": "call", "pid": 5432, "cid": 2132 }, { "type": "call", "pid": 5432, "cid": 2134 }, { "type": "call", "pid": 5432, "cid": 2136 }, { "type": "call", "pid": 5432, "cid": 2138 }, { "type": "call", "pid": 5432, "cid": 2140 }, { "type": "call", "pid": 5432, "cid": 2142 }, { "type": "call", "pid": 5432, "cid": 2144 }, { "type": "call", "pid": 5432, "cid": 2146 }, { "type": "call", "pid": 5432, "cid": 2148 }, { "type": "call", "pid": 5432, "cid": 2150 }, { "type": "call", "pid": 5432, "cid": 2152 }, { "type": "call", "pid": 5432, "cid": 2154 }, { "type": "call", "pid": 5432, "cid": 2156 }, { "type": "call", "pid": 5432, "cid": 2158 }, { "type": "call", "pid": 5432, "cid": 2160 }, { "type": "call", "pid": 5432, "cid": 2162 }, { "type": "call", "pid": 5432, "cid": 2164 }, { "type": "call", "pid": 5432, "cid": 2166 }, { "type": "call", "pid": 5432, "cid": 2168 }, { "type": "call", "pid": 5432, "cid": 2170 }, { "type": "call", "pid": 5432, "cid": 2172 }, { "type": "call", "pid": 5432, "cid": 2174 }, { "type": "call", "pid": 5432, "cid": 2176 }, { "type": "call", "pid": 5432, "cid": 2178 }, { "type": "call", "pid": 5432, "cid": 2180 }, { "type": "call", "pid": 5432, "cid": 2182 }, { "type": "call", "pid": 5432, "cid": 2184 }, { "type": "call", "pid": 5432, "cid": 2186 }, { "type": "call", "pid": 5432, "cid": 2188 }, { "type": "call", "pid": 5432, "cid": 2190 }, { "type": "call", "pid": 5432, "cid": 2192 }, { "type": "call", "pid": 5432, "cid": 2194 }, { "type": "call", "pid": 5432, "cid": 2196 }, { "type": "call", "pid": 5432, "cid": 2198 }, { "type": "call", "pid": 5432, "cid": 2200 }, { "type": "call", "pid": 5432, "cid": 2202 }, { "type": "call", "pid": 5432, "cid": 2204 }, { "type": "call", "pid": 5432, "cid": 2206 }, { "type": "call", "pid": 5432, "cid": 2208 }, { "type": "call", "pid": 5432, "cid": 2210 }, { "type": "call", "pid": 5432, "cid": 2212 }, { "type": "call", "pid": 5432, "cid": 2214 }, { "type": "call", "pid": 5432, "cid": 2216 }, { "type": "call", "pid": 5432, "cid": 2218 }, { "type": "call", "pid": 5432, "cid": 2220 }, { "type": "call", "pid": 5432, "cid": 2222 }, { "type": "call", "pid": 5432, "cid": 2224 }, { "type": "call", "pid": 5432, "cid": 2226 }, { "type": "call", "pid": 5432, "cid": 2228 }, { "type": "call", "pid": 5432, "cid": 2230 }, { "type": "call", "pid": 5432, "cid": 2232 }, { "type": "call", "pid": 5432, "cid": 2234 }, { "type": "call", "pid": 5432, "cid": 2236 }, { "type": "call", "pid": 5432, "cid": 2238 }, { "type": "call", "pid": 5432, "cid": 2240 }, { "type": "call", "pid": 5432, "cid": 2242 }, { "type": "call", "pid": 5432, "cid": 2244 }, { "type": "call", "pid": 5432, "cid": 2246 }, { "type": "call", "pid": 5432, "cid": 2248 }, { "type": "call", "pid": 5432, "cid": 2250 }, { "type": "call", "pid": 5432, "cid": 2252 }, { "type": "call", "pid": 5432, "cid": 2254 }, { "type": "call", "pid": 5432, "cid": 2256 }, { "type": "call", "pid": 5432, "cid": 2258 }, { "type": "call", "pid": 5432, "cid": 2260 }, { "type": "call", "pid": 5432, "cid": 2262 }, { "type": "call", "pid": 5432, "cid": 2264 }, { "type": "call", "pid": 5432, "cid": 2266 }, { "type": "call", "pid": 5432, "cid": 2268 }, { "type": "call", "pid": 5432, "cid": 2270 }, { "type": "call", "pid": 5432, "cid": 2272 }, { "type": "call", "pid": 5432, "cid": 2274 }, { "type": "call", "pid": 5432, "cid": 2276 }, { "type": "call", "pid": 5432, "cid": 2278 }, { "type": "call", "pid": 5432, "cid": 2280 }, { "type": "call", "pid": 5432, "cid": 2282 }, { "type": "call", "pid": 5432, "cid": 2284 }, { "type": "call", "pid": 5432, "cid": 2286 }, { "type": "call", "pid": 5432, "cid": 2288 }, { "type": "call", "pid": 5432, "cid": 2290 }, { "type": "call", "pid": 5432, "cid": 2292 }, { "type": "call", "pid": 5432, "cid": 2294 }, { "type": "call", "pid": 5432, "cid": 2296 }, { "type": "call", "pid": 5432, "cid": 2298 }, { "type": "call", "pid": 5432, "cid": 2300 }, { "type": "call", "pid": 5432, "cid": 2302 }, { "type": "call", "pid": 5432, "cid": 2304 }, { "type": "call", "pid": 5432, "cid": 2306 }, { "type": "call", "pid": 5432, "cid": 2308 }, { "type": "call", "pid": 5432, "cid": 2310 }, { "type": "call", "pid": 5432, "cid": 2312 }, { "type": "call", "pid": 5432, "cid": 2314 }, { "type": "call", "pid": 5432, "cid": 2316 }, { "type": "call", "pid": 5432, "cid": 2318 }, { "type": "call", "pid": 5432, "cid": 2320 }, { "type": "call", "pid": 5432, "cid": 2322 }, { "type": "call", "pid": 5432, "cid": 2324 }, { "type": "call", "pid": 5432, "cid": 2326 }, { "type": "call", "pid": 5432, "cid": 2328 }, { "type": "call", "pid": 5432, "cid": 2330 }, { "type": "call", "pid": 5432, "cid": 2332 }, { "type": "call", "pid": 5432, "cid": 2334 }, { "type": "call", "pid": 5432, "cid": 2336 }, { "type": "call", "pid": 5432, "cid": 2338 }, { "type": "call", "pid": 5432, "cid": 2340 }, { "type": "call", "pid": 5432, "cid": 2342 }, { "type": "call", "pid": 5432, "cid": 2344 }, { "type": "call", "pid": 5432, "cid": 2346 }, { "type": "call", "pid": 5432, "cid": 2348 }, { "type": "call", "pid": 5432, "cid": 2350 }, { "type": "call", "pid": 5432, "cid": 2352 }, { "type": "call", "pid": 5432, "cid": 2354 }, { "type": "call", "pid": 5432, "cid": 2356 }, { "type": "call", "pid": 5432, "cid": 2358 }, { "type": "call", "pid": 5432, "cid": 2360 }, { "type": "call", "pid": 5432, "cid": 2362 }, { "type": "call", "pid": 5432, "cid": 2364 }, { "type": "call", "pid": 5432, "cid": 2366 }, { "type": "call", "pid": 5432, "cid": 2368 }, { "type": "call", "pid": 5432, "cid": 2370 }, { "type": "call", "pid": 5432, "cid": 2372 }, { "type": "call", "pid": 5432, "cid": 2374 }, { "type": "call", "pid": 5432, "cid": 2376 }, { "type": "call", "pid": 5432, "cid": 2378 }, { "type": "call", "pid": 5432, "cid": 2380 }, { "type": "call", "pid": 5432, "cid": 2382 }, { "type": "call", "pid": 5432, "cid": 2384 }, { "type": "call", "pid": 5432, "cid": 2386 }, { "type": "call", "pid": 5432, "cid": 2388 }, { "type": "call", "pid": 5432, "cid": 2390 }, { "type": "call", "pid": 5432, "cid": 2392 }, { "type": "call", "pid": 5432, "cid": 2394 }, { "type": "call", "pid": 5432, "cid": 2396 }, { "type": "call", "pid": 5432, "cid": 2398 }, { "type": "call", "pid": 5432, "cid": 2400 }, { "type": "call", "pid": 5432, "cid": 2402 }, { "type": "call", "pid": 5432, "cid": 2404 }, { "type": "call", "pid": 5432, "cid": 2406 }, { "type": "call", "pid": 5432, "cid": 2408 }, { "type": "call", "pid": 5432, "cid": 2410 }, { "type": "call", "pid": 5432, "cid": 2412 }, { "type": "call", "pid": 5432, "cid": 2414 }, { "type": "call", "pid": 5432, "cid": 2416 }, { "type": "call", "pid": 5432, "cid": 2418 }, { "type": "call", "pid": 5432, "cid": 2420 }, { "type": "call", "pid": 5432, "cid": 2422 }, { "type": "call", "pid": 5432, "cid": 2424 }, { "type": "call", "pid": 5432, "cid": 2426 }, { "type": "call", "pid": 5432, "cid": 2428 }, { "type": "call", "pid": 5432, "cid": 2430 }, { "type": "call", "pid": 5432, "cid": 2432 }, { "type": "call", "pid": 5432, "cid": 2434 }, { "type": "call", "pid": 5432, "cid": 2436 }, { "type": "call", "pid": 5432, "cid": 2438 }, { "type": "call", "pid": 5432, "cid": 2440 }, { "type": "call", "pid": 5432, "cid": 2442 }, { "type": "call", "pid": 5432, "cid": 2444 }, { "type": "call", "pid": 5432, "cid": 2446 }, { "type": "call", "pid": 5432, "cid": 2448 }, { "type": "call", "pid": 5432, "cid": 2450 }, { "type": "call", "pid": 5432, "cid": 2452 }, { "type": "call", "pid": 5432, "cid": 2454 }, { "type": "call", "pid": 5432, "cid": 2456 }, { "type": "call", "pid": 5432, "cid": 2458 }, { "type": "call", "pid": 5432, "cid": 2460 }, { "type": "call", "pid": 5432, "cid": 2462 }, { "type": "call", "pid": 5432, "cid": 2464 }, { "type": "call", "pid": 5432, "cid": 2466 }, { "type": "call", "pid": 5432, "cid": 2468 }, { "type": "call", "pid": 5432, "cid": 2470 }, { "type": "call", "pid": 5432, "cid": 2472 }, { "type": "call", "pid": 5432, "cid": 2474 }, { "type": "call", "pid": 5432, "cid": 2476 }, { "type": "call", "pid": 5432, "cid": 2478 }, { "type": "call", "pid": 5432, "cid": 2480 }, { "type": "call", "pid": 5432, "cid": 2482 }, { "type": "call", "pid": 5432, "cid": 2484 }, { "type": "call", "pid": 5432, "cid": 2486 }, { "type": "call", "pid": 5432, "cid": 2488 }, { "type": "call", "pid": 5432, "cid": 2490 }, { "type": "call", "pid": 5432, "cid": 2492 }, { "type": "call", "pid": 5432, "cid": 2494 }, { "type": "call", "pid": 5432, "cid": 2496 }, { "type": "call", "pid": 5432, "cid": 2498 }, { "type": "call", "pid": 5432, "cid": 2500 }, { "type": "call", "pid": 5432, "cid": 2502 }, { "type": "call", "pid": 5432, "cid": 2504 }, { "type": "call", "pid": 5432, "cid": 2506 }, { "type": "call", "pid": 5432, "cid": 2508 }, { "type": "call", "pid": 5432, "cid": 2510 }, { "type": "call", "pid": 5432, "cid": 2512 }, { "type": "call", "pid": 5432, "cid": 2514 }, { "type": "call", "pid": 5432, "cid": 2516 }, { "type": "call", "pid": 5432, "cid": 2518 }, { "type": "call", "pid": 5432, "cid": 2520 }, { "type": "call", "pid": 5432, "cid": 2522 }, { "type": "call", "pid": 5432, "cid": 2524 }, { "type": "call", "pid": 5432, "cid": 2526 }, { "type": "call", "pid": 5432, "cid": 2528 }, { "type": "call", "pid": 5432, "cid": 2530 }, { "type": "call", "pid": 5432, "cid": 2532 }, { "type": "call", "pid": 5432, "cid": 2534 }, { "type": "call", "pid": 5432, "cid": 2536 }, { "type": "call", "pid": 5432, "cid": 2538 }, { "type": "call", "pid": 5432, "cid": 2540 }, { "type": "call", "pid": 5432, "cid": 2542 }, { "type": "call", "pid": 5432, "cid": 2544 }, { "type": "call", "pid": 5432, "cid": 2546 }, { "type": "call", "pid": 5432, "cid": 2549 }, { "type": "call", "pid": 5432, "cid": 2552 }, { "type": "call", "pid": 5432, "cid": 2554 }, { "type": "call", "pid": 5432, "cid": 2557 }, { "type": "call", "pid": 5432, "cid": 2559 }, { "type": "call", "pid": 5432, "cid": 2561 }, { "type": "call", "pid": 5432, "cid": 2563 }, { "type": "call", "pid": 5432, "cid": 2565 }, { "type": "call", "pid": 5432, "cid": 2567 }, { "type": "call", "pid": 5432, "cid": 2569 }, { "type": "call", "pid": 5432, "cid": 2571 }, { "type": "call", "pid": 5432, "cid": 2573 }, { "type": "call", "pid": 5432, "cid": 2575 }, { "type": "call", "pid": 5432, "cid": 2577 }, { "type": "call", "pid": 5432, "cid": 2579 }, { "type": "call", "pid": 5432, "cid": 2581 }, { "type": "call", "pid": 5432, "cid": 2583 }, { "type": "call", "pid": 5432, "cid": 2585 }, { "type": "call", "pid": 5432, "cid": 2587 }, { "type": "call", "pid": 5432, "cid": 2589 }, { "type": "call", "pid": 5432, "cid": 2591 }, { "type": "call", "pid": 5432, "cid": 2593 }, { "type": "call", "pid": 5432, "cid": 2595 }, { "type": "call", "pid": 5432, "cid": 2597 }, { "type": "call", "pid": 5432, "cid": 2599 }, { "type": "call", "pid": 5432, "cid": 2601 }, { "type": "call", "pid": 5432, "cid": 2603 }, { "type": "call", "pid": 5432, "cid": 2605 }, { "type": "call", "pid": 5432, "cid": 2607 }, { "type": "call", "pid": 5432, "cid": 2610 }, { "type": "call", "pid": 5432, "cid": 2612 }, { "type": "call", "pid": 5432, "cid": 2617 }, { "type": "call", "pid": 5432, "cid": 2619 }, { "type": "call", "pid": 5432, "cid": 2621 }, { "type": "call", "pid": 5432, "cid": 2624 }, { "type": "call", "pid": 5432, "cid": 2626 }, { "type": "call", "pid": 5432, "cid": 2629 }, { "type": "call", "pid": 5432, "cid": 2631 }, { "type": "call", "pid": 5432, "cid": 2634 }, { "type": "call", "pid": 5432, "cid": 2636 }, { "type": "call", "pid": 5432, "cid": 2639 }, { "type": "call", "pid": 5432, "cid": 2641 }, { "type": "call", "pid": 5432, "cid": 2643 }, { "type": "call", "pid": 5432, "cid": 2646 }, { "type": "call", "pid": 5432, "cid": 2648 }, { "type": "call", "pid": 5432, "cid": 2650 }, { "type": "call", "pid": 5432, "cid": 2653 }, { "type": "call", "pid": 5432, "cid": 2656 }, { "type": "call", "pid": 5432, "cid": 2659 }, { "type": "call", "pid": 5432, "cid": 2661 }, { "type": "call", "pid": 5432, "cid": 2664 }, { "type": "call", "pid": 5432, "cid": 2666 }, { "type": "call", "pid": 5432, "cid": 2668 }, { "type": "call", "pid": 5432, "cid": 2670 }, { "type": "call", "pid": 5432, "cid": 2672 }, { "type": "call", "pid": 5432, "cid": 2676 }, { "type": "call", "pid": 5432, "cid": 2679 }, { "type": "call", "pid": 5432, "cid": 2681 }, { "type": "call", "pid": 5432, "cid": 2684 }, { "type": "call", "pid": 5432, "cid": 2703 }, { "type": "call", "pid": 5432, "cid": 2706 }, { "type": "call", "pid": 5432, "cid": 2708 }, { "type": "call", "pid": 5432, "cid": 2710 }, { "type": "call", "pid": 5432, "cid": 2713 }, { "type": "call", "pid": 5432, "cid": 2716 }, { "type": "call", "pid": 5432, "cid": 2718 }, { "type": "call", "pid": 5432, "cid": 2721 }, { "type": "call", "pid": 5760, "cid": 813 }, { "type": "call", "pid": 3904, "cid": 1107 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 3636, "cid": 62 }, { "type": "call", "pid": 2108, "cid": 66 }, { "type": "call", "pid": 4468, "cid": 343 }, { "type": "call", "pid": 4468, "cid": 471 }, { "type": "call", "pid": 4468, "cid": 475 }, { "type": "call", "pid": 4468, "cid": 737 }, { "type": "call", "pid": 5432, "cid": 386 }, { "type": "call", "pid": 5432, "cid": 462 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 3636, "cid": 15 } ], "new_data": [], "alert": false, "families": [] }, { "name": "cmdline_terminate", "description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution", "categories": [ "command" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "command": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"" } ], "new_data": [], "alert": false, "families": [] }, { "name": "stealth_timeout", "description": "Possible date expiration check, exits too soon after checking local time", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "process": "cmd.exe, PID 2108" }, { "type": "call", "pid": 2108, "cid": 837 } ], "new_data": [], "alert": false, "families": [] }, { "name": "language_check_registry", "description": "Checks system language via registry key (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" }, { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "new_data": [], "alert": false, "families": [] }, { "name": "privilege_elevation_check", "description": "Queries process token information to check for Administrator privileges or UAC elevation status", "categories": [ "discovery", "privilege_escalation" ], "severity": 2, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 2108, "cid": 821 }, { "type": "call", "pid": 4468, "cid": 95 }, { "type": "call", "pid": 5432, "cid": 115 }, { "type": "call", "pid": 5432, "cid": 1246 }, { "type": "call", "pid": 5432, "cid": 1273 }, { "type": "call", "pid": 5432, "cid": 1409 }, { "type": "call", "pid": 5760, "cid": 68 }, { "type": "call", "pid": 5760, "cid": 149 }, { "type": "call", "pid": 3904, "cid": 68 }, { "type": "call", "pid": 3904, "cid": 151 } ], "new_data": [], "alert": false, "families": [] }, { "name": "query_fips_reconnaissance", "description": "Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software", "categories": [ "discovery", "c2" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 2108, "cid": 282 }, { "type": "call", "pid": 2108, "cid": 283 }, { "type": "call", "pid": 2108, "cid": 286 }, { "type": "call", "pid": 2108, "cid": 288 }, { "type": "call", "pid": 2108, "cid": 289 }, { "type": "call", "pid": 4468, "cid": 61 }, { "type": "call", "pid": 4468, "cid": 62 }, { "type": "call", "pid": 4468, "cid": 65 }, { "type": "call", "pid": 4468, "cid": 67 }, { "type": "call", "pid": 4468, "cid": 68 }, { "type": "call", "pid": 5432, "cid": 59 }, { "type": "call", "pid": 5432, "cid": 60 }, { "type": "call", "pid": 5432, "cid": 63 }, { "type": "call", "pid": 5432, "cid": 65 }, { "type": "call", "pid": 5432, "cid": 66 }, { "type": "call", "pid": 5760, "cid": 48 }, { "type": "call", "pid": 5760, "cid": 49 }, { "type": "call", "pid": 5760, "cid": 52 }, { "type": "call", "pid": 5760, "cid": 54 }, { "type": "call", "pid": 5760, "cid": 55 }, { "type": "call", "pid": 3904, "cid": 48 }, { "type": "call", "pid": 3904, "cid": 49 }, { "type": "call", "pid": 3904, "cid": 52 }, { "type": "call", "pid": 3904, "cid": 54 }, { "type": "call", "pid": 3904, "cid": 55 }, { "behavioral_fips_reconnaissance": [ "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "mountpoints_volume_discovery", "description": "Queries the mount points and then resolves volume paths to enumerate storage devices", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "type": "call", "pid": 2108, "cid": 368 }, { "type": "call", "pid": 2108, "cid": 373 }, { "type": "call", "pid": 2108, "cid": 383 }, { "type": "call", "pid": 2108, "cid": 386 }, { "type": "call", "pid": 2108, "cid": 391 }, { "type": "call", "pid": 2108, "cid": 399 }, { "type": "call", "pid": 2108, "cid": 402 }, { "type": "call", "pid": 2108, "cid": 407 } ], "new_data": [], "alert": false, "families": [] }, { "name": "creates_suspended_process", "description": "Creates a process in a suspended state, likely for injection", "categories": [ "injection", "process hollowing" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 2108, "cid": 773 }, { "type": "call", "pid": 756, "cid": 37 } ], "new_data": [], "alert": false, "families": [] }, { "name": "resumethread_remote_process", "description": "Resumed a thread in another process", "categories": [ "injection", "unpacking" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "thread_resumed": "Process svchost.exe with process ID 756 resumed a thread in another process with the process ID 4440" }, { "type": "call", "pid": 756, "cid": 38 } ], "new_data": [], "alert": false, "families": [] }, { "name": "discover_registry_mount_points", "description": "Queries registry mount points to identify historical or connected removable/network drives", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data" } ], "new_data": [], "alert": false, "families": [] }, { "name": "uses_windows_utilities", "description": "Uses Windows utilities for basic functionality", "categories": [ "command", "lateral" ], "severity": 2, "weight": 1, "confidence": 80, "references": [], "data": [ { "command": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\test.bat\"" }, { "command": "systeminfo" } ], "new_data": [], "alert": false, "families": [] }, { "name": "hardware_id_profiling", "description": "Queries the Volume Serial Number or Physical Hardware ID, possibly for anti-sandbox, victim profiling or environmental keying", "categories": [ "evasion", "recon", "anti-sandbox" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 2108, "cid": 84 } ], "new_data": [], "alert": false, "families": [] }, { "name": "amsi_enumeration", "description": "Enumerated Anti-Malware Scan Interface (AMSI) providers, a potential precursor to AMSI bypass or EDR unhooking", "categories": [ "discovery", "defense_evasion" ], "severity": 3, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 4468, "cid": 276 }, { "type": "call", "pid": 4468, "cid": 278 }, { "type": "call", "pid": 4468, "cid": 283 }, { "amsi_enumeration": [ "systeminfo.exe (PID: 4468) probed AMSI registry 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\'", "systeminfo.exe (PID: 4468) probed AMSI registry 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers'", "systeminfo.exe (PID: 4468) probed AMSI registry 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}'" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "process_creation_suspicious_location", "description": "Created a process from a suspicious location", "categories": [ "execution" ], "severity": 3, "weight": 1, "confidence": 20, "references": [], "data": [ { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\information.txt" }, { "command": "information.txt " }, { "type": "call", "pid": 2108, "cid": 249 } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 10.0, "ttps": [ { "signature": "stealth_network", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "hardware_id_profiling", "ttps": [ "T1082" ], "mbcs": [ "E1082", "E1480.001" ] }, { "signature": "antivm_checks_available_memory", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "amsi_enumeration", "ttps": [ "T1518", "T1562" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "privilege_elevation_check", "ttps": [ "T1033", "T1082" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "query_fips_reconnaissance", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "mountpoints_volume_discovery", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "process_creation_suspicious_location", "ttps": [ "T1106" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "creates_suspended_process", "ttps": [ "T1055" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "resumethread_remote_process", "ttps": [ "T1055" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "cmdline_terminate", "ttps": [ "T1059" ], "mbcs": [ "OB0009", "E1059" ] }, { "signature": "discover_registry_mount_points", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "uses_windows_utilities", "ttps": [ "T1202" ], "mbcs": [ "OB0009", "E1203.m06" ] } ], "malstatus": null }